A recently patched trio of flaws in Samsung’s mobile site was leaving users vulnerable to attackers who could have reset their user passwords and hijacked their accounts, The Register reports.
The flaws were found by security researcher Artem Moskowsky, who said that they were all cross-site request forgery (CSFR), or, alternatively, XSRF, bugs. Moskowsky said that the problem was with the way that the Samsung.com account page handled password-reset security questions.
Read more about the Samsung flaw that could have enabled an attacker to access user profiles, change information such as usernames, or even to disable two-factor authentication (2FA), to change passwords and to thereby steal accounts, on Naked Security.
BlackBerry Ltd. and Samsung Electronics Co. agreed to sell each other’s mobile-security technology in an effort to win more enterprise customers.
The deal was the highest-profile of several partnership and distribution agreements BlackBerry announced Thursday to drive sales of its new mobile-security software—dubbed BlackBerry Enterprise Service 12. BES12 is the anchor of the company’s strategy to double revenue from software sales to $500 million and return to profitability in its next fiscal year by winning back corporate and government business.
BlackBerry also announced deals with customer-management software provider Salesfore.com Inc., mobile-device distributor Brightstar Corp. and several wireless carriers including Orange SA, Verizon Wireless, and Vodafone Group PLC, all aimed at getting BES12 in front of as many potential customers as possible.
Read more about the new tie up between BlackBerry and Samsung on Wall Street Journal.
In response to recent reports that its “Find My Mobile” service is plagued by a vulnerability that can be leveraged lock and unlock devices, Samsung has published a statement explaining the conditions that need to be met in order for the exploit to work.
The existence of a vulnerability in Find My Mobile (CVE-2014-8346) came to light in late October when the National Institute of Standards and Technology (NIST) published a security advisory.
Samsung has clarified that the vulnerability was fixed through an update on October 13, more than 10 days before NIST published its advisory. The company has also pointed out that no user information has been compromised, and that attackers could not access any data on the phone or the server even before the update was rolled out.
Read more about Samsung’s clarification to the Find My Mobile vulnerability on Security Week
The National Institute of Standards and Technology is warning of the presence of a Zero-Day flaw in the Samsung FindMyMobile service.
The US-CERT/NIST is warning of the presence of a zero-day flaw that affects the Samsung FindMyMobile web service (CVE-2014-8346). The Samsung FindMyMobile implements several features that allow users to locate the lost device, to play an alert on a remote device or to lock remotely the mobile phone.
“The Remote Controls feature on Samsung mobile devices does not validate the source of lock-code data received over a network, which makes it easier for remote attackers to cause a denial of service (screen locking with an arbitrary code) by triggering unexpected Find My Mobile network traffic.” states the security advisory issues by the NIST.
Read more about the Zero-day flaw in the Samsung FindMyMobile feature at Security Affairs
The world’s largest electronics maker by revenue said the US’ National Information Assurance Partnership (NIAP), an IT product evaluator under the NSA, has approved and listed the Galaxy Note 4 and other Samsung devices on its Commercial Solutions for Classified (CSfC) program listing.
Approved products include the Galaxy S4, Galaxy S5, Galaxy Note 3, Galaxy Note 4, Galaxy Note 10.1 (2014 Edition), Galaxy Note Edge, Galaxy Alpha, Galaxy Tab S 8.4, Galaxy Tab S 10.5, and the Galaxy IPSEC Virtual Private Network (VPN) Client.
The listed products are now available for use on classified government networks, and can be used to store sensitive data by the US government.
Read more about how and why the NIAP approved Knox enabled Samsung devices for classified usage on ZDNet