Samsung patched a vulnerability last month in SNS Provider, a popular application that manages other social media apps present in millions of its devices. If exploited the bug could have given attackers the ability to access to any personal information users stored on Facebook, LinkedIn and Twitter.
The app, Samsung’s Social Networking Service Provider, acts as an bridge of sorts for the aforementioned social media apps, along with Google+, to connect to other apps such as Calendar and Gallery.
Joaquin Manuel Rinaudo, an Argentinian researcher with the Dr. Manuel Sadowsky Foundation, an information and technology collective also based in Argentina, discovered the vulnerability and disclosed it in a post on Full Disclosure this morning.
SNS Provider, which comes pre-installed on several of the company’s devices boasts around 41 million monthly active users, according to statistics cited in the disclosure.
When users log into Facebook or Twitter on Samsung devices, SNS Provider asks for full access to the user’s account, a token is provided and stored locally. This makes it easy for SNS Provider to pass that information along to any other app that may need it. But several services the app used to sync users’ social media accounts were not fortified by any protections, something Rinaudo claims a malicious third party app could have abused.
Attackers could have requested the user’s access token to Facebook or Twitter to “obtain photos, statuses, feeds, location and other information” from their accounts, in addition to posting to those accounts on their behalf.
“A malicious application that is granted these permissions could then access a user’s social network account content permanently,” Rinaudo writes.
Samsung, which was first notified about the issue last November, patched the issue in February by disabling the App ID for SNS Provider for Facebook and Twitter.
This should thwart any attacker from using malware to obtain access tokens associated with the old version of the app, but will cause session expiration from time to time on Facebook and Twitter.
According to the Sadowsky Association’s disclosure, one of the reasons the patch took so long to see the light of day was because of “associated complexity,” and the required coordination between the company’s SNS vendors and service carriers. At one point in December of last year Samsung apparently asked Rinaudo and company to delay their disclosure six months, citing “coordination of the release schedule with the service carriers,” a delay that the Sadowsky Association ultimately deemed an “excessive timespan.”
Emails to Samsung regarding this particular fix were not immediately returned on Thursday.
The lapse between mobile device manufacturers and how they handle security has been plenty scrutinized in the past. Conventional wisdom suggested a FTC settlement with HTC two years ago, which singled out the manufacturer for failing to employ reasonable and appropriate security practices in their devices was going to force many carriers to do an about face and fix vulnerabilities sooner.