fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Hackers Can Exploit Bugs in Samsung Pre-installed Apps to Spy on Users

Hackers Can Exploit Bugs in Samsung Pre-installed Apps to Spy on Users

Samsung is working on patching multiple vulnerabilities affecting its mobile devices that could be used for spying or to take full control of the system.

The bugs are part of a larger set discovered and reported responsibly by one security researcher through the company’s bug bounty program.

Serious issues on Samsung devices

Since the beginning of the year, Sergey Toshin – the founder of Oversecured company specialized in mobile app security, found more than a dozen vulnerabilities affecting Samsung devices.

For three of them, the details are light at the moment because of the high risk they pose to users. Without getting into particularities, Toshin told BleepingComputer that the least severe of these issues could help attackers steal SMS messages if they trick the victim.

The other two are more serious, though, as they are stealthier. Exploiting them requires no action from the Samsung device user. An attacker could use it to read and/or write arbitrary files with elevated permissions.

It is unclear when the fixes will be pushed to the users, because the process typically takes about two months due to various testing of the patch to make sure that it does not cause other problems

Toshin reported all three security vulnerabilities responsibly and is currently waiting to receive the bounties.

Also Read: The DNC Singapore: Looking at 2 Sides Better

17 issues responsibly disclosed

From Samsung alone, the hacker collected close to $30,000 since the start of the year, for disclosing 14 issues. The other three vulnerabilities are currently waiting to be patched

For seven of these already patched bugs, which brought $20,690 in bounties, Toshin provides technical details and proof-of-concept exploitation instructions in a blog post today.

The hacker discovered the bugs in pre-installed apps on Samsung devices using the Oversecured scanner that he created specifically to help with the task.

He reported the flaws in February and also published a video demonstrating how a third-party app obtained device admin rights. The exploit, a zero-day at the time, had an unwanted side effect, though: in the process of getting elevated privileges, all other apps on the Android phone were deleted.

source: Sergey Toshin

The bug was patched in April. It impacted the Managed Provisioning app and is now tracked as CVE-2021-25356. The hacker received $7,000 for reporting it.

Toshin received another hefty bounty ($5,460) for sharing details with Samsung about an issue (CVE-2021-25393) in the Settings app that allowed gaining read/write access to arbitrary files with privileges of a system user.

The third best paid ($4,850) vulnerability from this February batch allowed writing arbitrary files as a Telephony user, which has access to call details and SMS/MMS messages.

Samsung patched most of these flaws in May. However, Toshin told BleepingComputer that Samsung also patched another set of seven bugs that he disclosed through the company’s bug bounty program.

These carried risks like reading/writing access to user contacts, access to the SD card, and leaking personal information like phone number, address, and email.

Users are advised to apply the latest firmware updates from the manufacturer to avoid potential security risks.

Also Read: 4 Best Practices on How to Use SkillsFuture Credit

Toshin reported more than 550 vulnerabilities in his career, earning over $1 million in bug bounties, through the HackerOne platform and various bug bounty programs.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us