search icon
Close

What are you looking for?

cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Potential samsung pass vulnerability

(Topic created on: 31-03-2025 08:18 PM)
462 Views
arianwen27
Black Belt 

‎31-03-2025 08:18 PM - last edited ‎31-03-2025 08:26 PM

Options
Heyo, I've sorta just spotted something with samsung pass that is rather worrying in terms of authentication. I'd report this to samsung but I have a feeling live chat will have no idea what I'm talking about so I wouldn't know who to tell. First let me explain the situation.

You have samsung pass setup with the verification method set as fingerprints and the samsung pass pin. So you need a fingerprint to access it.

Say someone watches you enter your device code. They take the device and try to access your samsung pass. They get stopped as fingerprint verification is required or the samsung pass pin is required. They only know your phone code as they saw you enter it. They cannot access samsung pass. This is how things should be. The issue...

They go to settings in samsung pass, they go to verification method, they enable "use screen lock". No fingerprint prompt appears, it just enables without question. They use that screen unlock code to access samsung pass. They see your samsung account password saved. They use that to remove the account from the device. They own the device now.

Why can "use screen lock" be enabled without any kind of other authentication system? You should not be able to add another way to unlock it without proving you can use the other ways first. This is a rather large security hole.
I should also add, why can it be disabled in the first place if it can be enabled again at any moment?

I should add, this isn't some theoretical attack, the "identity check" feature in one ui 7 is designed specifically to stop this attack. But the loophole is samsung pass not authenticating some settings correctly.
15 REPLIES 15
arianwen27
Black Belt 

‎31-03-2025 08:40 PM - last edited ‎31-03-2025 08:41 PM

Options
Trying to report it as this makes samsung pass really insecure if someone happens to see your lock screen code. If "use screen lock" is disabled, it 100% should require fingerprint or the samsung pass pin to enable
0 Likes
Abravenewworld
Pioneer

‎31-03-2025 08:42 PM - last edited ‎31-03-2025 08:44 PM

Options
If they seen you enter your pin they could also goto settings - general management - reset - factory reset data lol, its lets you choose to use pin instead of fingerprint.
0 Likes
arianwen27
Black Belt 

‎31-03-2025 08:43 PM - last edited ‎31-03-2025 08:45 PM

Options
In response to Abravenewworld
No that can't. You need the password of the samsung account to reset a device. Clearing fingerprints would make samsung pass only unlock with the samsjng pass pin. Using this issue, someone can get the samsung password from samsung pass, then use that to reset the device and compromise the account
lance78
Hotshot

‎31-03-2025 08:51 PM - last edited ‎31-03-2025 08:52 PM

Options
Just been updating the apps Samsung store
0 Likes
JAMES4578
Samsung Members Star ★★

‎31-03-2025 08:59 PM

Options

I agree that it is a concern  and a security flaw in this ituation so worth reporting.   An oveall review of the merits of Samsung Pass in this article.  https://www.allthingssecured.com/reviews/password-managers/samsung-pass/

I do not work for Samsung or make Samsung Products but provide independent advice and valuable contributions.


0 Likes
arianwen27
Black Belt 

‎31-03-2025 09:14 PM - last edited ‎31-03-2025 09:23 PM

Options
In response to arianwen27
To add to this. The process of resetting a phone needs the device code and the samsung account password. If you use samsung pass your passwords are in there. If you make samsung pass only unlock with a fingerprint or pin. The device code unlock method can be enabled without any checks. The setting shouldn't exist if disabling it means nothing. Since anyone could turn it on if they knew the device code.

I'm guessing it is supposed to run a check but it just doesn't
0 Likes
Sonora
Maestro

‎31-03-2025 10:23 PM

Options

What if you use only fingerprints for Samsung Pass? 

0 Likes
arianwen27
Black Belt 

‎31-03-2025 10:48 PM - last edited ‎31-03-2025 11:01 PM

Options
In response to Sonora
If you only use fingerprints for samsung pass, anyone can enable unlock with device code without using your fingerprint.

Meaning it bypasses your fingerprint, as long as they know the device unlock code. This could be found by looking over your shoulder when you unlock your phone

To be fully clear, that means the unlock to turn your phone on. They do not need to know the samsung pass pin or anything else.

Enabling that setting should require your fingerprint or samsung pass pin. But it just doesn't.

(This is an example, I of course would never do this)
So if I knew your phone pin and had the phone, I could get into your samsung pass without needing a fingerprint or the samsung pass pin by just enabling "use screen lock". With that access, I could find your samsung account details. Since your phone is a 2fa method, that would let me steal the samsung account. Then reset the phone using the password for the samsung account. I would have gained a new reset phone and locked you out of the account.

If samsung added protection to this setting. I would have no way into your samsung pass meaning no account stealing and no phone reset. You would remotely track and lock the phone, protecting your data.

Again, would never do this, do not do this. I think explaining the attack really shows my point
arianwen27
Black Belt 

‎31-03-2025 11:06 PM - last edited ‎31-03-2025 11:08 PM

Options
In response to arianwen27
I've mentioned this briefly in replies before but as a uni student studying computer networking and security, I really enjoy finding and documenting these kinda things. Hence the giant paragraphs. I pick samsung phones due to their security and knox, things other androids don't come close to
0 Likes