topic Re: Potential samsung pass vulnerability in Mobile Apps & Services

Potential samsung pass vulnerability

arianwen27 — Mon, 31 Mar 2025 19:26:09 GMT

Heyo, I've sorta just spotted something with samsung pass that is rather worrying in terms of authentication. I'd report this to samsung but I have a feeling live chat will have no idea what I'm talking about so I wouldn't know who to tell. First let me explain the situation.

You have samsung pass setup with the verification method set as fingerprints and the samsung pass pin. So you need a fingerprint to access it.

Say someone watches you enter your device code. They take the device and try to access your samsung pass. They get stopped as fingerprint verification is required or the samsung pass pin is required. They only know your phone code as they saw you enter it. They cannot access samsung pass. This is how things should be. The issue...

They go to settings in samsung pass, they go to verification method, they enable "use screen lock". No fingerprint prompt appears, it just enables without question. They use that screen unlock code to access samsung pass. They see your samsung account password saved. They use that to remove the account from the device. They own the device now.

Why can "use screen lock" be enabled without any kind of other authentication system? You should not be able to add another way to unlock it without proving you can use the other ways first. This is a rather large security hole.

I should also add, why can it be disabled in the first place if it can be enabled again at any moment?

I should add, this isn't some theoretical attack, the "identity check" feature in one ui 7 is designed specifically to stop this attack. But the loophole is samsung pass not authenticating some settings correctly.

Re: Potential samsung pass vulnerability

arianwen27 — Mon, 31 Mar 2025 19:41:07 GMT

Trying to report it as this makes samsung pass really insecure if someone happens to see your lock screen code. If "use screen lock" is disabled, it 100% should require fingerprint or the samsung pass pin to enable

Re: Potential samsung pass vulnerability

Abravenewworld — Mon, 31 Mar 2025 19:44:42 GMT

If they seen you enter your pin they could also goto settings - general management - reset - factory reset data lol, its lets you choose to use pin instead of fingerprint.

Re: Re: Potential samsung pass vulnerability

arianwen27 — Mon, 31 Mar 2025 19:45:11 GMT

No that can't. You need the password of the samsung account to reset a device. Clearing fingerprints would make samsung pass only unlock with the samsjng pass pin. Using this issue, someone can get the samsung password from samsung pass, then use that to reset the device and compromise the account

Re: Potential samsung pass vulnerability

lance78 — Mon, 31 Mar 2025 19:52:01 GMT

Just been updating the apps Samsung store

Re: Potential samsung pass vulnerability

JAMES4578 — Mon, 31 Mar 2025 19:59:07 GMT

I agree that it is a concern and a security flaw in this ituation so worth reporting. An oveall review of the merits of Samsung Pass in this article. https://www.allthingssecured.com/reviews/password-managers/samsung-pass/

Re: Re: Re: Potential samsung pass vulnerability

arianwen27 — Mon, 31 Mar 2025 20:23:17 GMT

To add to this. The process of resetting a phone needs the device code and the samsung account password. If you use samsung pass your passwords are in there. If you make samsung pass only unlock with a fingerprint or pin. The device code unlock method can be enabled without any checks. The setting shouldn't exist if disabling it means nothing. Since anyone could turn it on if they knew the device code.

I'm guessing it is supposed to run a check but it just doesn't

Re: Potential samsung pass vulnerability

Sonora — Mon, 31 Mar 2025 21:23:08 GMT

What if you use only fingerprints for Samsung Pass?

Re: Re: Potential samsung pass vulnerability

arianwen27 — Mon, 31 Mar 2025 22:01:14 GMT

If you only use fingerprints for samsung pass, anyone can enable unlock with device code without using your fingerprint.

Meaning it bypasses your fingerprint, as long as they know the device unlock code. This could be found by looking over your shoulder when you unlock your phone

To be fully clear, that means the unlock to turn your phone on. They do not need to know the samsung pass pin or anything else.

Enabling that setting should require your fingerprint or samsung pass pin. But it just doesn't.

(This is an example, I of course would never do this)
So if I knew your phone pin and had the phone, I could get into your samsung pass without needing a fingerprint or the samsung pass pin by just enabling "use screen lock". With that access, I could find your samsung account details. Since your phone is a 2fa method, that would let me steal the samsung account. Then reset the phone using the password for the samsung account. I would have gained a new reset phone and locked you out of the account.

If samsung added protection to this setting. I would have no way into your samsung pass meaning no account stealing and no phone reset. You would remotely track and lock the phone, protecting your data.

Again, would never do this, do not do this. I think explaining the attack really shows my point

Re: Re: Re: Potential samsung pass vulnerability

arianwen27 — Mon, 31 Mar 2025 22:08:14 GMT

I've mentioned this briefly in replies before but as a uni student studying computer networking and security, I really enjoy finding and documenting these kinda things. Hence the giant paragraphs. I pick samsung phones due to their security and knox, things other androids don't come close to

Re: Re: Potential samsung pass vulnerability

Sonora — Mon, 31 Mar 2025 22:10:26 GMT

I never use device code for unlocking phone when someone looking. So, you can't access to my Samsung Pass.

Re: Re: Re: Potential samsung pass vulnerability

arianwen27 — Mon, 31 Mar 2025 22:22:19 GMT

That's not really my point. This whole thing started a few years ago. There's a trick where malicious individuals go to a bar, find someone, flirt or something. Get the person to request their phone number. The malicious person then goes to enter it into the phone, locks the phone, presses the fingerprint sensor a few times. Now the phone is locked and fingerprint is disabled. They then say the phone locked, the owner then enters the code to unlock the phone. The malicious person now has the phone and code. Then they can use the samsung pass issue.

So yes normally you don't enter your code. But the bar scam thing is so common both apple and google added protection against it. Called identity check on android 15.

Yes people aware won't enter or show their code. But it only takes one mistake. Samsung adding the proper checks to samsung pass would prevent the worse parts of the scam

Re: Potential samsung pass vulnerability

Sonora — Mon, 31 Mar 2025 22:33:01 GMT

First mistake. Never give your phone to a stranger, enter the number yourself. It is very likely that your phone will not ask you for the device code, but your finger will unlock the phone. If you don't take some simple security steps like this yourself, it will be very difficult for someone to trick you. Caution is the mother of wisdom.😋

Re: Re: Potential samsung pass vulnerability

arianwen27 — Mon, 31 Mar 2025 22:36:41 GMT

You are right. But the majority of people don't do that. When drunk or out, they will just turn their phone to have someone enter a phone number.

Pressing the wrong finger on the finger print sensor 3-5 times disables it, forcing the code.

Also this is such a big issue google and apple made a specific security system to prevent it. So you can't just blow it off that easily. Yes you or I won't fall for it. But the fact that samsung pass has this security hole still exists

Re: Re: Potential samsung pass vulnerability

Sonora — Mon, 31 Mar 2025 22:43:58 GMT

Ahh, those wonderful old days when there were no cell phones, so you still scheduled meetings and dates, and you wrote down phone numbers (not cell phones, but telephones) on a piece of paper or something. 😂.

I don't even like selfies. I have the same front camera as Mark Meta on his laptop 😛🤭😂

Re: Potential samsung pass vulnerability

arianwen27 — Tue, 01 Apr 2025 17:44:47 GMT

Nice to see samsung is hopefully looking into this

Re: Re: Re: Potential samsung pass vulnerability

ssnguser — Mon, 25 Aug 2025 10:37:53 GMT

What is the safest setting to have on then, for a Samsung user?

Do I need to remove my screen lock, or change some setting so that no one can access the phone?

Re: Re: Re: Re: Potential samsung pass vulnerability

arianwen27 — Mon, 25 Aug 2025 19:27:36 GMT

There isn't anything you can do, so just carry on as normal.

The issue only works if someone has your phone and knows your phone's code. So rare but not impossible.

I personally have "use screen unlock" disabled in samsung pass. But someone can just enable it again, that's the issue

Samsung could prevent it by putting a fingerprint check on that setting but hasn't yet