News

Samsung Email bug could let attackers access your attachments

This month, Samsung has fixed multiple high severity vulnerabilities across multiple Samsung apps that come pre-installed on Samsung mobile devices.

These vulnerabilities impact apps and services including, Samsung Email, Samsung Members, SmartThings, Samsung Experience Service, Samsung Account, Gallery and Bixby.

Remote attackers could tap into your email attachments

One of these vulnerabilities, CVE-2021-25375 in particular, exists in the Samsung Email app prior to version 6.1.41.0.

By exploiting this vulnerability, a remote attacker could access email attachments from your Samsung Email app.

While the exact mechanism of the exploitation is yet to be fully known, the security advisory for the vulnerability explains:

Using predictable index for attachments in Samsung Email prior to version 6.1.41.0 allows remote attackers to get attachments of another emails when users open the malicious attachment.

This implies, a remote attacker would typically need to send a Samsung Email app user an email with a malicious attachment.

But because of the predictable way attachment IDs are generated on the Samsung Email app, should the user open the attacker’s malicious attachment, the remote attacker would now be able to access more email attachments from the user’s other received emails.

This severe flaw was discovered by Juno Im and reported to Samsung on March 18, 2020.

A fix for the vulnerability went into version 6.1.41.0 of the app.

More severe vulnerabilities patched

Other vulnerabilities patched by Samsung in its mobile apps are as follows:

SVE-2021-19144 (CVE-2021-25374): Samsung Members

Severity: High
Resolved Version: 2.4.83.9 in Android O(8.1) and below, and 3.9.00.9 in Android P(9.0) and above
Reported on: October 4, 2020
Description: An improper authorization vulnerability in Samsung Members “samsungrewards” scheme for deeplink in versions 2.4.83.9 in Android O(8.1) and below, and 3.9.00.9 in Android P(9.0) and above allows remote attackers to access a user data related with Samsung Account.
Acknowledgement: Ken Gannon

SVE-2021-18085 (CVE-2021-25376): Samsung Email

Severity: Moderate
Resolved Version: 6.1.41.0
Reported on: June 17, 2020
Description: An improper synchronization logic in Samsung Email prior to version 6.1.41.0 can leak messages in certain mailbox in plain text when STARTTLS negotiation is failed.
Acknowledgement: Damian Poddebniak, Fabian Ising

SVE-2021-20637 (CVE-2021-25377): Samsung Experience Service

Severity: Moderate
Resolved Version: 10.8.0.4 in Android P(9.0) below, and 12.2.0.5 in Android Q(10.0) above
Reported on: February 9, 2021
Description: Intent redirection in Samsung Experience Service versions 10.8.0.4 in Android P(9.0) below, and 12.2.0.5 in Android Q(10.0) above allows attacker to execute privileged action.
Acknowledgement: Sergey Toshin 

SVE-2021-20386 (CVE-2021-25378): SmartThings

Severity: Low
Resolved Version: 1.7.63.6
Reported on: January 19, 2021
Description: Improper access control of certain port in SmartThings prior to version 1.7.63.6 allows remote temporary denial of service.
Acknowledgement: Zhongquan Li ( CytQ) of Xiaomi AIoT Security Lab

SVE-2021-20601 (CVE-2021-25379): Gallery

Severity: Moderate
Resolved Version: 5.4.16.1
Reported on: February 5, 2021
Description: Intent redirection vulnerability in Gallery prior to version 5.4.16.1 allows attacker to execute privileged action.
Acknowledgement: Sergey Toshin

SVE-2021-19830 (CVE-2021-25380): Bixby

Severity: Moderate
Resolved Version: 3.0.53.02
Reported on: December 5, 2020
Description: Improper handling of exceptional conditions in Bixby prior to version 3.0.53.02 allows attacker to execute the actions registered by the user.
Acknowledgement: Gregory DRAPERI

SVE-2021-19503 (CVE-2021-25381): Samsung Account

Severity: Moderate
Resolved Version: 10.8.0.4 in Android P(9.0) and below, and 12.1.1.3 in Android Q(10.0) and above
Reported on: November 2, 2020
Description: Using unsafe PendingIntent in Samsung Account in versions 10.8.0.4 in Android P(9.0) and below, and 12.1.1.3 in Android Q(10.0) and above allows local attackers to perform unauthorized action without permission via hijacking the PendingIntent.
Acknowledgement: hard_______

April updates are crucial as the vulnerabilities patched by this update lurk in the system applications and services that are typically shipped with the device out of the box.

Users are encouraged to apply the latest updates to keep themselves protected.

Ax Sharma

Ax Sharma is an Indian-origin British security researcher, journalist and TV subject matter expert with a focus on malware analysis and cybercrime investigations. His areas of interest include open source software security, threat intel analysis, and reverse engineering. Frequently featured by leading media outlets like the BBC, Channel 5, Fortune, WIRED, The Register, among others, Ax is an active community member of the OWASP Foundation and the British Association of Journalists (BAJ).

Recent Posts

Sea Turtle Cyber Espionage Campaign Targets Telecommunication and IT Companies in the Netherlands

Telecommunication, media, internet service providers (ISPs), information technology (IT)-service providers, and Kurdish websites in the…

12 months ago

Rogue WordPress plugin: Threat hunters uncover credit card skimming campaign targeting e-commerce sites

Rogue WordPress Plugin Found to Steal Credit Card Information in Magecart Campaign Threat hunters have…

12 months ago

Albanian Parliament and telco ‘One Albania’ suffer cyber attacks

The Assembly of the Republic of Albania and telecom company One Albania have recently fallen…

12 months ago

Carbanak Banking Malware Resurfaces with Updated Tactics in Ransomware Attacks

The banking malware Carbanak has resurfaced with updated tactics, incorporating attack vendors and techniques to…

12 months ago

Theme park giant Parques Reunidos hit by a ransomware cyber attack

One of the world's largest theme park operators, Parques Reunidos has disclosed a cybersecurity incident.…

2 years ago

Phishing kit screenshots your email domain on the fly to appear real

Phishing kit used by multiple hacked sites generates a log in page on the fly…

2 years ago

This website uses cookies.