A now-patched security flaw has been disclosed in the Galaxy Keep application for Samsung gadgets that could probably result in distant command execution on impacted phones.
The vulnerability, which impacts Galaxy Keep version 184.108.40.206, relates to a cross-site scripting (XSS) bug that happens when managing specified deep links. An unbiased security researcher has been credited with reporting the issue.
“Here, by not checking the deep website link securely, when a person accesses a connection from a internet site made up of the deeplink, the attacker can execute JS code in the webview context of the Galaxy Retail outlet application,” SSD Protected Disclosure claimed in an advisory posted past week.
The issue identified in the Galaxy Keep application has to do with how deep backlinks are configured for Samsung’s Promoting & Material Support (MCS), probably major to a situation the place arbitrary code injected into the MCS site could direct to its execution.
This could then be leveraged to down load and set up malware-laced applications on the Samsung unit when checking out the hyperlink.
“To be in a position to effectively exploit the victim’s server, it is required to have HTTPS and CORS bypass of chrome,” the scientists noted.
Uncovered this post exciting? Abide by THN on Facebook, Twitter and LinkedIn to study extra distinctive content we article.
Some elements of this post are sourced from: