A now-patched safety flaw has been disclosed within the Galaxy Store app for Samsung gadgets that would probably set off distant command execution on affected telephones.
The vulnerability, which impacts Galaxy Store model 4.5.32.4, pertains to a cross-site scripting (XSS) bug that happens when dealing with sure deep hyperlinks. An impartial safety researcher has been credited with reporting the difficulty.
“Here, by not checking the deep hyperlink securely, when a person accesses a hyperlink from an internet site containing the deeplink, the attacker can execute JS code within the webview context of the Galaxy Store utility,” SSD Secure Disclosure mentioned in an advisory posted final week.
XSS assaults permit an adversary to inject and execute malicious JavaScript code when visiting an internet site from a browser or one other utility.
The difficulty recognized within the Galaxy Store app has to do with how deep hyperlinks are configured for Samsung’s Marketing & Content Service (MCS), probably resulting in a situation the place arbitrary code injected into the MCS web site may result in its execution.
This may then be leveraged to obtain and set up malware-laced apps on the Samsung system when visiting the hyperlink.
“To be capable of efficiently exploit the sufferer’s server, it’s essential to have HTTPS and CORS bypass of chrome,” the researchers famous.