A now-patched vulnerability in the Galaxy Store app for Samsung devices could have potentially triggered remote command execution on affected phones.
The flaw is a cross-site scripting (XSS) bug that can be triggered when handling certain deep links.
The vulnerability impacts Galaxy Store version 4.5.32.4, it was reported by an independent security researcher through the SSD Secure Disclosure program.
“In the Galaxy Store application, there are some deeplinks handled. Deeplink can be called from another application or from a browser. When receiving suitable deeplinks Galaxy Store will process and display them via webview.” reads the advisory. “Here, by not checking the deeplink securely, when a user accesses a link from a website containing the deeplink, the attacker can execute JS code in the webview context of the Galaxy Store application.”
The expert focuses on deep links configured for Samsung’s Marketing & Content Service (MCS).
The SamSung MCS Direct Page website was parsing the parameter from the url and then display it on the website, but it did not encode, leading to an XSS error.
“We can see the website is processing the abc, def parameters and displaying as above without encoding, the url is passed directly to href this is very dangerous and will cause XSS.” continues the advisory.
While analyzing the deeplink process code, the expert noticed two functions, downloadApp and openApp, in the Class EditorialScriptInterface.
The two functions allow getting the app id and downloading them from the store or opening them. This means that it is possible to use JS code to call these two functions. In this scenario, an attacker can inject arbitrary code into the MCS website and execute it.
This issue can be exploited to download and install malicious apps on the Samsung device when visiting the link.
Samsung has already issued patches to address this issue.
Follow me on Twitter: @securityaffairs and Facebook
[adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – hacking, Log4Shell)
[adrotate banner=”5″]
[adrotate banner=”13″]
Nation-state actor UAT4356 has been exploiting two zero-days in ASA and FTD firewalls since November…
A malware campaign has been exploiting the updating mechanism of the eScan antivirus to distribute…
The Treasury Department's Office of Foreign Assets Control (OFAC) sanctioned four Iranian nationals for their…
A cyber attack on Leicester City Council resulted in certain street lights remaining illuminated all…
The National Police Agency in South Korea warns that North Korea-linked threat actors are targeting…
The U.S. Department of State imposed visa restrictions on 13 individuals allegedly linked to the…
This website uses cookies.