Broken Access Control on subdomain leads to Mass Account Takeover of Samsung employees application accounts

- 6 mins

Broken Access Control on subdomain leads to Mass Account Takeover of Samsung employees application accounts



As we have entered the month of december, I have decided to freshen up some targets and decided to give a look at Samsung’s Bug Bounty programs as I had good experience with them at the past.

Samsung operates their bounty policy on the following link Policy

As they state that only vulnerabilities affecting the samsung mobile/tv team services or devices is eligible for bounty, you can’t really know what services actually belongs to them, so I have decided to look at the * scope


recon image

As you might have read from my previous blog post, there is no magic when it comes to reconnaissance.

Utilizing my bash script which integrates the known open source tools for subdomain discovery presented 853 alive probed subdomain results


The nuclei scan for known vulnerabilities didn’t return any significant result, so it was time to dive in the subdomains and look manually for intersting information.

At first it would be normal to look at the subdomains which include intersting keywords as dev,admin,stage.

Eventually this led me to explore few subdomains which consisted those keywords, and in particular the vulnerable subdomain

Manual Inspection

Navigating to presented us with a static web page with a small login button up top.


Observing the login functioniallity was just utilizing the SSO of, I was redirected to and had to enter my account information, and later on redirected to fill up another few details at the origin of the request.


We are unauthorized to access the data which the subdomain servers, probably because we are not samsung employees and as we need to wait for the manager approval.

So, pretty much a dead end?


While observing the functionallities my Burp proxy was up and running, and the JS Link Finder extension came clutch.

JS Link Finder is the Burp Extension for a passively scanning JavaScript files for endpoint links. - Export results the text file - Exclude specific ‘js’ files e.g. jquery, google-analytics

LinkFinder link

Observing the links which the extension found we could notice that there are many rest api endpoints which could be intersting to determine if they are accessible from unauthenticated and unauthorized user perspective

As there were 600 intersting links to look on, doing so manually wouldn’t be effective, you can copy the complete list from JS link finder, create a new text file, cutting it to remove the ordering by (“ cut -d “ “ -f 3”)

Supplying the list to ffuf we would notice several intersting endpoints which return 200, so this narrowed the list to be compatible with manual observation.


The following endpoint proved to be critically severe (It’s fixed now):

The page supplied every user which used the login form with his account, with the following details:

"login":"[email protected]",
"fullName":"Israel Israeli",
"email":"[email protected]",
"datetimePattern":"YYYY-MM-DD HH:mm",

There were approximatly 200 users, including administrators.


Now we need to figure out how the authCode is implemented on the application we are testing?

After issuing the login functioniallity from we can observe that the following request is being initiated:


Replacing dumped auth code with the one I have issued allowed me to bypass the restriction and access the application as the victim account.




The issue was fixed by samsung’s security team while issuing a 403 error when trying to access the page as unauthorized personal





Although I didn’t recieve any bounty from the finding, and the fact that I could earn the “thanks” letter from samsung by reporting a low severity issue as well, it was nice to find a critical misconfiguration on such a big company from what seemed to be pretty static page.

It makes you understand that the intersting parts when engaging with bug bounty programs are the unseen ones :-)

Thanks for sticking out!

Hope you enjoyed reading my writeup, Sharing the blog could be nice and I hope you discovered new ways of approching a target from my blog :-)

You can find me on:


Gal Nagli

Gal Nagli

A Man who enjoys the art of study, breaking stuff when I can.

comments powered by Disqus
rss facebook twitter github gitlab youtube mail spotify lastfm instagram linkedin google google-plus pinterest medium vimeo stackoverflow reddit quora quora