Samsung computer phones used to have a stock app called S Suggest. Then Samsung didn't renew the domain that controls it, having made it possible for villains to register the domain and malware infest millions of computer phone users... had they spotted the opportunity.
Samsung, the most popular smartphone maker in the world, left millions of customers vulnerable to hackers after it let expire a domain that was used to control a stock app installed on older devices, security researchers say.
If you own an older Samsung smartphone, chances are you have a stock app designed to recommend other popular apps named S Suggest installed on it. The company says it discontinued S Suggest in 2014, and it recently let one of the domains used to control the app—ssuggest.com—expire, according to a security researcher who took over the domain.
By letting the domain expire, Samsung effectively gave anyone willing to register it a foothold inside millions of smartphones, and the power to push malicious apps on them, according to João Gouveia, the chief technology officer at Anubis Labs. Gouveia says he took over the domain Monday.
[...] Gouveia said that in just 24 hours, he saw 620 million "check ins," or connections, from around 2.1 million unique devices. S Suggests has a bunch of permissions, including rebooting the phone remotely and installing apps or packages.
This is on parity in severity with CVE-2015-2865 from 2015-06-17 when updates were not authenticated properly.
That is unless the phone goes into mission impossible flight mode and self destructs as in 2016-09-08.
(Score: 2) by KGIII on Friday June 16 2017, @04:34AM (2 children)
This seems pretty much like a solved problem. Why did they need a TLD? Making subdomains is pretty trivial. You don't even have to point them at the same IP address as the FQDN. I am not even sure why they'd do it this way.
ssuggest.samsung.tld
They can still have a TLD, even. They would only need to use the subdomain in the code itself. I have to be missing something, 'cause this seems pretty silly.
"So long and thanks for all the fish."
(Score: 3, Interesting) by Lagg on Friday June 16 2017, @06:37AM
Cookieless assets, chrome has a cap of 6 asynchronous connections to same origin. Easier to isolate rules from depending on server. Etc.
Or maybe I'm just giving them too much credit and they don't know you can do that. idunno
http://lagg.me [lagg.me] 🗿
(Score: 4, Insightful) by kaszz on Friday June 16 2017, @07:16AM
When you need to get shit done and don't have time for ivory tower bureaucrats. It's a lot more efficient to create something in parallel and get on with your project.
What they should have done is to make the phone software demand a signed message to act on anything at all. That would make owning the domain or MITM pointless.