All of the vulnerabilities can be exploited without privilege and according to Paleari, stem from “Samsung-specific software and customizations.” Paleari said two of the vulnerabilities can be used to silently install highly privileged applications without user interaction while another allows attackers to send SMS messages without permission
[…]
Paleari said he informed Samsung in mid-January shortly after he found the bugs and still hasn’t heard from the South Korean company about a fix. Instead, Paleari writes that Samsung did contact him on Feb. 20 and requested he delay public disclosure, insisting that “any patches [Samsung] develops must first be approved by the network carriers.”
This system is completely broken.
Hi, I'm Weiran Zhang. I work as a Senior Engineering Manager at Capital One. I have a passion for technology and building thriving software teams. This blog is where I write about things I find interesting. You can follow me on Mastodon.