Collect 100 Spin Link below
New research disclosed a string of severe security vulnerabilities in the ‘Find My Mobile’—an Android app that comes pre-installed on most Samsung smartphones—that could have allowed remote attackers to track victims’ real-time location, monitor phone calls, and messages, and even delete data stored on the phone.
Portugal-based cybersecurity services provider Char49 revealed its findings on Samsung’s Find My Mobile Android app at the DEF CON conference last week and shared details with the Hacker News.
“This flaw, after setup, can be easily exploited and with severe implications for the user and with a potentially catastrophic impact: permanent denial of service via phone lock, complete data loss with factory reset (SD card included), serious privacy implication via IMEI and location tracking as well as call and SMS log access,” Char49’s Pedro Umbelino said in technical analysis.
The flaws, which work on unpatched Samsung Galaxy S7, S8, and S9+ devices, were addressed by Samsung after flagging the exploit as a “high impact vulnerability.”
Samsung’s Find My Mobile service allows owners of Samsung devices to remotely locate or lock their smartphone or tablet, back up data stored on the devices to Samsung Cloud, wipe local data, and block access to Samsung Pay.
According to Char49, there were four different vulnerabilities in the app that could have been exploited by a malicious app installed on the targeted device, thus creating a man-in-the-disk attack to hijack communication from the backend servers and snoop on the victim.
The flaw stems from the fact the app checks for the presence of a specific file on the device’s SD card (“/mnt/sdcard/fmm.prop”) in order to load a URL (“mg.URL”), thus allowing a rogue app to create this file that can be used by a bad actor to potentially hijack the communications with the server.
“By pointing the MG URL to an attacker-controlled server and forcing the registration, the attacker can get many details about the user: coarse location via the IP address, IMEI, device brand, API level, backup apps, and several other information,” Umbelino said.
To achieve this, a malicious app installed on the device makes use of an exploit chain that leverages two different unprotected broadcast receivers to redirect commands sent to Samsung’s servers from the Find My Mobile app to a different server that’s under the attacker’s control and execute malicious commands.
The malicious server also forwards the request to the legitimate server and retrieves the response, but not before injecting its own commands in the server responses.
In doing so, a successful attack could allow a hacker to track the device’s location, grab call data and text messages for spying, lock the phone for ransom, and erase all data through a factory reset.
Needless to say, the vulnerability is yet another indicator of how an app that’s meant to safeguard users against information loss can be susceptible to a number of flaws that can defeat the app’s purpose.
“The FMM [Find My Mobile] application should not have arbitrary components publicly available and in an exported state,” Umbelino said. “If absolutely necessary, for example if other packages call these components, then they should be protected with proper permissions. Testing code that relies on the existence of files in public places should be eliminated.”
Just two days ago, a new decentralized cryptocurrency called YAM was revealed by its creators. On its first day, the crypto coin had a market cap of $60 million but a single line bug in the code cause the currency to collapse and YAM’s market cap went to zero in just 35 minutes.YAM was a decentralized finance experiment so it used a governance system (for making protocol changes). It was based on yield farming protocol where tokens are supposed to keep parity with the U.S. dollar through loosening or contracting supply.
Around 6 PM UTC, on Wednesday, August 12, the team discovered a bug in the YAM rebasing contract that would mint far more YAM coins than it intended to sell. This resulted in a large amount of YAM being sent to the protocol reserve, explained the YAM project in a blog post.“These tokens were owned by the governance contract itself, and therefore couldn’t vote. Because they exist and can’t vote, it’s impossible to ever meet the minimum voter participation. This means governance is permanently disabled, and all other tokens held by the governance contracts are permanently locked.”In short, the coin lost control of its on-chain governance feature. The code hadn’t been properly audited given its relative newness and the bug caused the protocol to keep printing “dud” YAM tokens that ended up preventing token holders from making any governance decisions.
The bug responsible for the above came from this line of code:
totalSupply = initSupply.mul(yamsScalingFactor);
But it was actually supposed to be something like this:
totalSupply = initSupply.mul(yamsScalingFactor).div(BASE);
The team says that nearly all of the $750,000 Curve tokens stored in the project’s treasury have been locked up by the code flaw. These assets intended to serve as a reserve currency to support the value of YAM tokens.
All the efforts to regain control of the YAM treasury has failed. So co-founder of YAM, Brock Elmore tweeted an apology:
There were nearly 29 million YAM tokens in circulation. At one point, the project even managed to touch a market cap of about $525 million. Even now the currency appears to have about $29m value, that is if you can find any YAM buyers. Anyway, the project announced a plan to migrate to YAM 2.0. You can find all the related details here.