Potential samsung pass vulnerability - Page 2

arianwen27 · ‎31-03-2025

Heyo, I've sorta just spotted something with samsung pass that is rather worrying in terms of authentication. I'd report this to samsung but I have a feeling live chat will have no idea what I'm talking about so I wouldn't know who to tell. First let me explain the situation.

You have samsung pass setup with the verification method set as fingerprints and the samsung pass pin. So you need a fingerprint to access it.

Say someone watches you enter your device code. They take the device and try to access your samsung pass. They get stopped as fingerprint verification is required or the samsung pass pin is required. They only know your phone code as they saw you enter it. They cannot access samsung pass. This is how things should be. The issue...

They go to settings in samsung pass, they go to verification method, they enable "use screen lock". No fingerprint prompt appears, it just enables without question. They use that screen unlock code to access samsung pass. They see your samsung account password saved. They use that to remove the account from the device. They own the device now.

Why can "use screen lock" be enabled without any kind of other authentication system? You should not be able to add another way to unlock it without proving you can use the other ways first. This is a rather large security hole.

I should also add, why can it be disabled in the first place if it can be enabled again at any moment?

I should add, this isn't some theoretical attack, the "identity check" feature in one ui 7 is designed specifically to stop this attack. But the loophole is samsung pass not authenticating some settings correctly.

Sonora · ‎31-03-2025

I never use device code for unlocking phone when someone looking. So, you can't access to my Samsung Pass.

arianwen27 · ‎31-03-2025

That's not really my point. This whole thing started a few years ago. There's a trick where malicious individuals go to a bar, find someone, flirt or something. Get the person to request their phone number. The malicious person then goes to enter it into the phone, locks the phone, presses the fingerprint sensor a few times. Now the phone is locked and fingerprint is disabled. They then say the phone locked, the owner then enters the code to unlock the phone. The malicious person now has the phone and code. Then they can use the samsung pass issue.

So yes normally you don't enter your code. But the bar scam thing is so common both apple and google added protection against it. Called identity check on android 15.

Yes people aware won't enter or show their code. But it only takes one mistake. Samsung adding the proper checks to samsung pass would prevent the worse parts of the scam

Screenshot_20250331_232121_Settings_1000017432_1743459691.png

Sonora · ‎31-03-2025

First mistake. Never give your phone to a stranger, enter the number yourself. It is very likely that your phone will not ask you for the device code, but your finger will unlock the phone. If you don't take some simple security steps like this yourself, it will be very difficult for someone to trick you. Caution is the mother of wisdom.😋

arianwen27 · ‎31-03-2025

You are right. But the majority of people don't do that. When drunk or out, they will just turn their phone to have someone enter a phone number.

Pressing the wrong finger on the finger print sensor 3-5 times disables it, forcing the code.

Also this is such a big issue google and apple made a specific security system to prevent it. So you can't just blow it off that easily. Yes you or I won't fall for it. But the fact that samsung pass has this security hole still exists

Sonora · ‎31-03-2025

Ahh, those wonderful old days when there were no cell phones, so you still scheduled meetings and dates, and you wrote down phone numbers (not cell phones, but telephones) on a piece of paper or something. 😂.

I don't even like selfies. I have the same front camera as Mark Meta on his laptop 😛🤭😂

arianwen27 · ‎01-04-2025

Nice to see samsung is hopefully looking into this