Clipping of news on Brazilian Culture, Law and Citizenship
12/2/2016
This article was translated by an automatic translation system, and was therefore not reviewed by people.
Transparent image
Vulnerability was at the activation address for registration sent on an email link - See more at: http://noticias.reclameaqui.com.br/noticias/promocao-da-samsung-poda-ter-exposto-dados-de -900-mil-client_2579 / # sthash.72UlHzx7.dpuf
A flaw in the "Samsung For You" website, in which the South Korean offers discounts, exposed the information of almost one million consumers registered on the page, such as CPF, address and telephone number. Samsung informs only to find out the situation.
The vulnerability was at the activation address of a cadaster sent by email: the address was predictable and authenticates the user without requiring the access password, giving access to the profile and the data of each user. The information is from the G1 portal.
A São Paulo consumer, who bought a Galaxy S7 Edge smartphone in a shopping mall in the south of the capital, made a complaint in the Complaint HERE after being registered in the promotion. After the purchase, the store's sales agent offered the customer to compete for a pair of glasses, and to do so, she signed up for the same "Samsung For You" promotion at the same time. "The saleswoman herself did the registration and told me that I would have to wait 7 business days for my return. After 12 business days I received a return that did not recognize the photo of the tax coupon. On November 18 I received the return that had been approved for the release of the toast. I opened several calls on Samsung's website and none were answered, "he reported in a complaint made on the Complaint HERE!
Sought by the Digital Security column, Samsung said it is "investigating the reported situation and is monitoring the site to act promptly should any abnormalities arise." The company provided the customer service on the phones 4004-0000 (capitals) and 0800-124421 (other cities).
The problem was discovered by systems analyst Rafael Braga Gianesini when he had to use the site to receive a headset. He then tried to contact Samsung to get the company to solve the problem, but encountered difficulties. There is no evidence that the data has leaked on the web. Asked, Samsung did not respond whether or not it had access to the information.
One-Click Vulnerability
Gianesini noticed that the web address sent by e-mail to confirm the registration or change the password of the account also automatically logs in the user, creating a risk for improper access: having the link, you do not need the password.
Even with both "power", this address was predictable and sequential: if a registered user ended in "1", the next was "2" and so on. With this, it was possible to access the profile of any registered customer. Once the access has been made, the website allows you to view all the registration information: full name, telephone, CPF, e-mail address, physical address and landline and cell phones.
The Digital Security column was able to confirm the facts revealed by the analyst.
Understand the attack
The attack did not require any special tools, just the internet browser. The attacker would have to register on the site, copy the link received in the confirmation email and change the number to the end of the address (from "350" to "351" or "349", for example) and access it with the Internet browser. With this, he would already be logged into the site as someone else and could access the registration page to see the data. The procedure could be repeated or even automated by a program to extract all information from the site.
As "Samsung For You" is a promotional page that provides free gifts and promotions to customers who register, Gianesini also knew the site after purchasing a product from Samsung.
"I bought a cell phone and had to register on the site to receive a headset, but I had problems with the registration and had to access the site several times to open and follow up the calls, the problem is that you can not change the password. , I had to request a 'forgot password' and realized that the URL of the 'go to the site' button already authenticated me, "says the expert.
Gianesini considered the failure "amateur". "Any single user could have access to data from more than 900,000 customers. It did not require any advanced IT knowledge," he says. If the flaw falls into the hands of thugs, he estimates that the data could be used in socially engineered scams (for example, scammers), and also directly attacking customers on the site, with address changes so that promotional products Sent to a different address.
Difficulty of contact
Samsung has not indicated whether there is a contact for security issues like this. Several companies - including Apple, Microsoft, Google and Facebook - have specific channels to report security issues and even reward employees who follow rules and meet certain conditions.
Gianesini says that because he did not find this channel, he had a hard time talking to Samsung. He attempted contact on November 4 via the "Email to Samsung" channel but the system experienced technical issues and he was unable to track the contact after Samsung's response on day 7.
The next day, November 8th, the systems analyst tried chatting. This contact was returned via email on November 21 by an employee of the retailer Magazine Luiza, who is a partner of Samsung's online store. It was only then that the problem was finally reported. The official of Magazine Luiza reported that it was a problem on Samsung's own website and that it would forward the information. The fault was then corrected the next day (11/22).
The report of the column looked for Magazine Luiza, who reaffirmed not to be responsible for the site "Samsung for You". "The partnership [with Samsung] is limited to the e-commerce operation of the partner. The demand in question was passed on to Samsung," the company said.
Risk remains after solution
Even after a solution was adopted by Samsung, Gianesini found that the links still authenticate users. The Digital Security column again confirmed this behavior. Although the links are no longer sequential, which considerably hinders the attack, they apparently have no expiration date. The same link received on Tuesday (29/11) still worked this Friday (2/12).
As the link still authenticates the user, some risk of data exposure remains, as long as the attacker has infinite time (with links that do not expire) to attempt access. Samsung was informed but did not comment on whether it considered this risk.
Sequential identifier points to 950 thousand entries
Recent entries on the site receive identification numbers above 950,000. This number was also verified by the Digital Security column. Because these numbers are sequential, this means that the page has already registered 950,000 customers, although it is not possible to say how many of them still have their data in the system.
Samsung has not confirmed this number.
Source: G1
- See more at: http://noticias.reclameaqui.com.br/noticias/promocao-da-samsung-pod-ter-exposto-dados-de-900-mil-client_2579/#sthash.72UlHzx7.dpuf
Source: Claim Here
Our news is removed in full from our partners' websites. For this reason, we can not change the content of these even in cases of typos.
This article was translated by an automatic translation system, and was therefore not reviewed by people.