Wave Systems Corp. (fka WAVXQ)

[Genz2]

Nice phone account you have there – shame if something were to happen to it: Samsung fixes ID-theft flaws

https://www.theregister.co.uk/2018/12/10/samsung_patches_accountstealing_hole/

If Artem Moskowsky owes you money, it's a good time to ask

A recently patched set of flaws in Samsung's mobile site was leaving users open to account theft.

Bug-hunter Artem Moskowsky said the flaws he discovered, a since-patched trio of cross-site request forgery (CSFR) bugs, would have potentially allowed attackers to reset user passwords and take over accounts.

Moskowsky told The Register that the vulnerabilities were due to the way the Samsung.com account page handled security questions. When the user forgets their password, they can answer the security question to reset it.

Normally, the Samsung.com web application would check the "referer" header to make sure data requests only come from sites that are supposed to have access.

In this case, however, those checks are not properly run and any site can get that information. This would let the attacker snoop on user profiles, change information (such as user name), or even disable two-factor authentication and steal accounts by changing passwords.

"Due to the vulnerabilities it was possible to hack any account on account.samsung.com if the user goes to my page," Moskowsky explained.

"The hacker could get access to all the Samsung user services, private user information, to the cloud."

In one proof of concept, the researcher showed how an attack site could use the CSRF flaw to change the target's Samsung.com security question to one of the attacker's choosing. Armed with the new security question and its answer, the attacker would then use the "reset password" function to steal the target's Samsung account.

It turned out the situation was even worse than the researcher initially thought. Thinking there were only two CSRF vulnerabilites on the site, Moskowsky went to report the issue directly to Samsung – something that was also done through the Samsung.com website. While reporting the issue, he noticed a third bug, the one that would allow him to forcibly change security questions and answers.

"I first discovered two vulnerabilities. But then when I logged in to security.samsungmobile.com to check my report, I was redirected to the personal information editing page," Moskowsy explained.

"This page didn't look like a similar page on account.samsung.com. There was an additional 'secret question' field on it."

In total, three bugs were found and were rated medium, high, and critical, respectively. Moskowsky earned himself a payout of $13,300 for the find, a nice payout, but well short of the $20,000 he pocketed for spotting a major bug in Steam back in October.

Samsung did not respond to a request for comment on the matter. ®
=================================================================
If Samsung were using Wave software with a mobile TPM in its phones or with a TPM in its computers, flaws like the one that crop up in the article could be severely diminished in their impact. imo.

The TPM or mobile TPM (with the TEE) could be used as second factor of authentication with Wave's software and used by a preferred (or more secure) customer on Samsung's sites.
=================================================================
Wave Systems Signs 15-year License Agreement with Samsung

https://www.wavesys.com/buzz/news/wave-systems-signs-15-year-license-agreement-samsung

Security Week -

Wednesday, May 30, 2012 -

Wave Systems has signed a 15-year software license and distribution agreement with Samsung, enabling Samsung to bundle Wave’s EMBASSY Security Center (ESC) and TCG Software Stack (TSS) technology with devices that include a Trusted Platform Module (TPM), an industry standard security chip embedded in the motherboard of a computer or other electronic device.

In an SEC filing, Wave said it would receive a per-unit royalty based on Samsung’s sales of products that include its technology, but did not provide estimates in terms of expected revenue derived as a result.