A now-patched vulnerability in the Galaxy Store app for Samsung devices could have potentially triggered remote command execution on affected phones.
The flaw is a cross-site scripting (XSS) bug that can be triggered when handling certain deep links.
The vulnerability impacts Galaxy Store version 184.108.40.206, it was reported by an independent security researcher through the SSD Secure Disclosure program.
“In the Galaxy Store application, there are some deeplinks handled. Deeplink can be called from another application or from a browser. When receiving suitable deeplinks Galaxy Store will process and display them via webview.” reads the advisory. “Here, by not checking the deeplink securely, when a user accesses a link from a website containing the deeplink, the attacker can execute JS code in the webview context of the Galaxy Store application.”
The expert focuses on deep links configured for Samsung’s Marketing & Content Service (MCS).
The SamSung MCS Direct Page website was parsing the parameter from the url and then display it on the website, but it did not encode, leading to an XSS error.
“We can see the website is processing the abc, def parameters and displaying as above without encoding, the url is passed directly to href this is very dangerous and will cause XSS.” continues the advisory.
While analyzing the deeplink process code, the expert noticed two functions, downloadApp and openApp, in the Class EditorialScriptInterface.
The two functions allow getting the app id and downloading them from the store or opening them. This means that it is possible to use JS code to call these two functions. In this scenario, an attacker can inject arbitrary code into the MCS website and execute it.
This issue can be exploited to download and install malicious apps on the Samsung device when visiting the link.
Samsung has already issued patches to address this issue.
(SecurityAffairs – hacking, Log4Shell)