A now-patched safety flaw has been disclosed within the Galaxy Retailer app for Samsung gadgets that might doubtlessly set off distant command execution on affected telephones.
The vulnerability, which impacts Galaxy Retailer model 188.8.131.52, pertains to a cross-site scripting (XSS) bug that happens when dealing with sure deep links. An unbiased safety researcher has been credited with reporting the problem.
“Right here, by not checking the deep hyperlink securely, when a person accesses a hyperlink from a web site containing the deeplink, the attacker can execute JS code within the webview context of the Galaxy Retailer utility,” SSD Safe Disclosure said in an advisory posted final week.
The problem recognized within the Galaxy Retailer app has to do with how deep hyperlinks are configured for Samsung’s Advertising and marketing & Content material Service (MCS), doubtlessly resulting in a state of affairs the place arbitrary code injected into the MCS web site may result in its execution.
This might then be leveraged to obtain and set up malware-laced apps on the Samsung system when visiting the hyperlink.
“To have the ability to efficiently exploit the sufferer’s server, it’s essential to have HTTPS and CORS bypass of chrome,” the researchers famous.