back to article Nice phone account you have there – shame if something were to happen to it: Samsung fixes ID-theft flaws

A recently patched set of flaws in Samsung's mobile site was leaving users open to account theft. Bug-hunter Artem Moskowsky said the flaws he discovered, a since-patched trio of cross-site request forgery (CSFR) bugs, would have potentially allowed attackers to reset user passwords and take over accounts. Moskowsky told The …

  1. Nick Ryan Silver badge

    Samsung: good hardware, appalling software. However fair play that they accepted the faults and fixed them (hopefully)

    1. Anonymous Coward
      Anonymous Coward

      Even more appalling Terms & Conditions. If EU GDPR was properly applied, their current configuration should not even be allowed on the market but that applies to Android itself as well - Samsung just makes it way, waaaay worse.

    2. J. Cook Silver badge

      And appaling support lifetimes on said hardware, too- While I understand that phone lifecycle times have gone from 18 months to 'NOW NOW NOW NOW NOW!!!!11111oneoneone', Some of us keep their tablets for a bit longer, and would appreciate bug fixes and extended OS support for them without having to root/jailbreak the things and put generic OS builds on them that lack certain features.. (the Galaxy Note 8 was a nice tablet; shame that the OS it came with sucked so very much, and had so much bloat and crap on it....)

  2. GnuTzu Bronze badge
    Stop

    No No No -- Not The "Referer" Alone

    First, yes, "Referer" is actually spelled that way in the HTTP standard--not my fault. They'd better be doing more than just relying on that header, as it's spoof-able. Like "User-Agent", it's simply not a strong security control.

    1. Rajesh Kanungo

      Re: No No No -- Not The "Referer" Alone

      I simply don't understand why they don't use client side HTTPS/TLS authentication along with the server side authentication. It is so seamless that I have a hard time explaining it to people.

  3. DougS Silver badge

    $13,300?

    For discovering a bug so bad it basically gave access to everyone's Samsung account??? At even a dime per user exposed the guy could probably retire on a beach somewhere.

    I wonder how much he could have made if he'd sold this on the dark web? Or how much Samsung would have paid in fines if the flaw had been used to grab the info of all their EU users?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019