Two new vulnerabilities have been discovered in the Galaxy App Shop application enabling area attackers to install arbitrary purposes or execute JavaScript by launching a specific web web site.
The results come from cybersecurity specialists at NCC Team, who published an advisory about them previous Friday.
“It was found that the Galaxy App Store has an exported exercise which does not tackle incoming intents in a secure way,” wrote NCC Group researcher Ken Gannon, describing the first flaw (tracked CVE-2023-21433), which was rated high-risk by Samsung.
Protect and backup your data using AOMEI Backupper. AOMEI Backupper takes secure and encrypted backups from your Windows, hard drives or partitions. With AOMEI Backupper you will never be worried about loosing your data anymore.
Get AOMEI Backupper with 72% discount from an authorized distrinutor of AOMEI: SerialCart® (Limited Offer).
➤ Activate Your Coupon Code
“This makes it possible for other applications mounted on the identical Samsung gadget to mechanically put in any software out there on the Galaxy App Retailer without the user’s information.”
As for the 2nd vulnerability (tracked CVE-2023-21434 and marked as reasonable risk by Samsung), Gannon identified that a webview within the Galaxy App Retail store contained a filter that restricted the domains that the webview could accessibility.
“However, the filter was not appropriately configured, which would allow for the webview to look through to an attacker-managed domain,” the security expert defined in the advisory.
In other text, tapping a destructive hyperlink in Google Chrome or a pre-mounted rogue software on a Samsung product could bypass Samsung’s URL filter and start a webview to a domain specified by a risk actor.
Both equally issues reportedly influenced only Samsung products functioning Android 12 and under. They were being patched by Samsung in model 4.5.49.8 of the Galaxy App Store on January 01, months soon after NCC Group disclosed the vulnerability on December 03.
“Users should really open up the Galaxy App Shop on their phone, and if prompted, obtain and put in the most recent edition,” Gannon concluded.
The patches occur nearly a yr just after cyber-criminals broke into the network of Samsung Electronics and stole supply codes. Extra just lately, the company unveiled an unspecified quantity of its shoppers in the US had their particular information accessed by an unauthorized consumer in July 2022.
Some components of this write-up are sourced from:
www.infosecurity-journal.com