Three flaws already patched were found recently in Samsung’s mobile site. They’ve made Samsung users vulnerable since hackers could gain access and control over the user accounts and information.

“Due to the vulnerabilities, it was possible to hack any account on account.samsung.com if the user goes to my page. The hacker could get access to all the Samsung user services, private user information, to the cloud”, explained the bug-hunter Artem Moskowsky to The Register.

The bugs were all cross-site request forgery (CSFR) and happened due to security problems involving the questions to reset password. More precisely the Samsung.com web app was not correctly verifying the “referer” header, which would allow any site to have access to important data.

In other words, after exploiting the CSRF flaw and changing the security questions to any other he desired, the attacker would have full access to the user profile, with the possibility to disable the two-factor authentication and change the user name and password.

Samsung paid Moskowsky USD 13,300 for finding the bugs. In October, he earned USD 20,000 for having found a bug in Steam.