The Galaxy Store application, available for branded devices, was a security flaw, which could trigger the execution of remote walks on affected phones.
This bug affected Galaxy Store version 4.5.32.4, and is associated with a “cross-site scripting” (XSS) error that occurs when handling certain deep links. An independent security investigator was credited with reporting the issue.
Read more:
- One UI 5: discover the new functions of the Android 13 interface for Galaxy devices
- Galaxy Z Fold 2 and other old Samsung models have battery issues
- Samsung launches new Global Goals bands for Galaxy Watch 4 and Watch 5
"When a user clicks on a website link that contains a deep link, the attacker can execute JS code in the context of the Galaxy Store app's web view," SSD Secure Disclosure said in its latest statement.
XSS attacks allow an attacker to inject and execute malicious JavaScript code when visiting a website from a browser or other application.
The issue identified in the Galaxy Store app has to do with the way deep links are set up for Samsung's Marketing & Content Service (MCS), potentially leading to a scenario where arbitrary code injected into the MCS website could lead to its execution. .
It is worth mentioning that this can also be leveraged to download and install malware apps on the Samsung device by clicking on the link.
"To be able to successfully exploit the victim's server, it is necessary to have HTTPS and CORS bypassing Chrome," the researchers noted.
But, according to information, fortunately this vulnerability has already been fixed.
Have watched the new videos on YouTube from Technology Refugee? Subscribe to the channel!
