Samsung is currently topping sales charts worldwide with a wide range of Android powered phones catering to virtually all market segments. This mass distribution of mobile devices has magnified the importance of creating secure mobile applications. Unfortunately, a CSRF loophole has been found in one of the the South Korean phone manufacturer’s proprietary applications.
The CSRF issue has been exposed in Samsung’s Find My Mobile application. Originally found by Egyptian researcher Mohamed Baset, it was officially exposed by the National Institute of Standards and Technology (NIST). This service is pre-installed by default in all Samsung Galaxy phones, thereby putting millions of users at risk.
Cross-Site Request Forgery is a common application-layer vulnerability that allows the malicious attacker to use an active session of the victim to perform actions on his behalf without his consent or prior knowledge. CSRF incidents are tough to spot as they are disguised into normal user requests.
How exactly was Samsung’s Find My Mobile app hacked?
Find My Mobile is Samsung’s proprietary “geo-locating” application that helps its customers to perform a series of functions including the locking of the device and activating the ringer remotely. The POC shown by Baset shows how it’s possible to exploit the vulnerable application and perform remote actions without the user’s knowledge.
Baset’s POC, shared on YouTube, shows how he can easily control a stolen Samsung Galaxy S3 device remotely from the comfort of his home PC. He easily manages to gain all privileges to lock and ring the device using his malware. This is made possible due to a Zero-Day flaw in the Samsung service where the sender of the lock-code data is not validated.
Baset starts off the hacking by logging into the Find My Mobile service at Samsung.com via his browser. He then accessed a malicious website in a new tab, which is what initiates the manipulation. The malware injects malicious commands into the Find My Mobile tab, enabling Baset to perform the locking/unlocking and ringing.
Baset exploiting the aforementioned Find My Mobile CSRF vulnerability.
NIST has “awarded” the vulnerability a CVSS severity rating of 7.8. To make matters worse, firing up the Galaxy Apps platform is enough to trigger the automatic download of the “Samsung In-App Purchase“, “Samsung Billing” and other features related to the Samsung’s application hub. This basically opens up more targets for the malicious attacker.
In the meanwhile, Samsung is claiming to have fixed the issue in a security patch released on October 13 – Read More. All Samsung phone owners using the Find My Mobile strongly advised to check for updates and install the security patch. Also, people with pirate ROMs are advised to revert to the official Samsung firmware for secure mobile usage.
CSRF vulnerabilities and how CxSuite helps in fighting them
Also known as Session Riding and XSRF Attacks, CSRF attacks are fast gaining popularity amongst cybercriminals. As per the Seperfecta (The top-4 types of cyberattacks executed today – SQL Injection, XSS, Directory Traversal and CSRF) report released by FireHost, CSRF attacks almost doubled from Q1 of 2012 to the Q1 of 2013.
Once a mobile device is hacked with the CSRF technique, a wide range of exploits are possible. These include:
- Impersonation and identity riding.
- Modification of application data using the victim’s credentials and permissions.
- Posting content on behalf of the victim without his consent or prior knowledge.
- Launching of organized attacks against all of the application’s users.
Samsung has not yet started the use of Unique CSRF Tokens, which basically cripple the malicious URLs as they can’t be validated by the server. The user gets a random CSRF token every time he logs into the web application. The servers then need to validate the Unique CSRF Tokens in all subsequent requests, hereby securing the application.
More and more applications are also starting to implement the Tokens per Request strategy. While highly similar to the aforementioned Unique CSRF Tokens, this requires the server to validate each request with a different token. Timing out sessions is another effective method that reduces the time-frame that the malicious attacker has to operate.
Checkmarx’s flagship product, the CxSuite, helps in combating the CSRF vulnerabilities by inspecting the implementation of the Unique CSRF Token. The Source Code Analysis (SCA) solution scans application code and alerts the developer when there is no provision for an anti-CSRF token. For a free CxSuite trial Click Here.
Follow Mohamed Baset @SymbianSyMoh