The National Institute of Standards and Technology is warning the presence of Zero-Day vulnerability in the Samsung Find My Mobile service.
The Samsung “Find My Mobile” web service provides bunch of features that allow users to locate their lost device, to play an alert on a remote device or to lock remotely the lost mobile phone to prevent the data theft & misuse of the device.
The US-CERT/NIST identified the flaw in the Samsung Find My Mobile service as CVE-2014-8346 and rated the severity of vulnerability as High and the exploitability subscore of the flaw is 10.0.
The Remote Controls feature on Samsung mobile devices does not validate the source of lock-code data received over a network, which makes it easier for remote attackers to cause a denial of service (screen locking with an arbitrary code) by triggering unexpected Find My Mobile network traffic. – states the security advisory issues by the NIST.
The zero day vulnerability discovered in Samsung Find My Mobile is Cross-Site Request Forgery (CSRF) that could allow an hacker to remotely lock the device.
Cross-Site Request Forgery (CSRF) vulnerability is an attack that tricks the victim into loading a page that contains a specially crafted HTML exploit page. Basically, an attacker will use CSRF attack to trick a victim into clicking a URL link that contains malicious or unauthorized requests.
Below is the Proof Of Concept video that shows a complete explanation on How the attack work on Samsung’s Find My Mobile service.