Accessing data on A525FXXU4BVG1 without unlocking.
Hello, it has been a while since I last wrote a post. In essence, it’s a write-up on a logical issue I recently discovered on Samsung smartphones which is also my second bug on Samsung.
Therefore, the problem started with the earlier one I discovered that was duplicated. So let me first make it clear. I discovered a problem with Samsung smartphones on 2022.12.19 that the lock pin and pattern could be revealed by a third party under certain circumstances. I submitted this to Samsung, which later designated the issue as duplicate and responded to me as
After the issue was duplicated, I was alertly waiting for an update to be pushed. Samsung A52 smartphones received a firmware update on the evening of January 6, so I immediately updated it because I believed a fix had been issued. And I discovered that the duplicated report had been fixed. I thought, “Okay, the issue is fixed,” but then I went busy with my tasks and internal assessments. Later that month, while I was looking for a patch bypass, I discovered something strange on the phone.
The strange thing I discovered was that the third-party application that was exposing the lock pin and pattern was actually Microsoft’s Link to Windows application. This application could be turned on and off directly from the locked screen through the notification bar, which results in a direct connection of the phone to previously connected laptops.
When the phone is connected to the PC, all of the phone’s data — messages, contacts, and photo can be accessed from the PC without the need of password on phone. The Link to windows app is developed and managed by Microsoft but I thought the issue is with firmware and I reported to Samsung mobile. They accepted it as a security bug after 12 days and marked the severity as low.
Then, after 2 months I was asking for the update of the report and they replied me as:
Then, after about 15 days later they rewarded me with $XXX but according to the Samsung policy they won’t reward unless the fix start to get pushed. So it’s my turn to check whether the issue is fixed by my side or not, I checked the issue but it got fixed surfacely and Now I clicked the ‘link to windows’ text below it’s icon
Then, the new interface was shown
Now, when I turned on the feature from this interface link to window turned on :0, the same issue recurred posing a security risk since the feature could be enable without unlocking the device. Then I quickly reported it to the Samsung security team saying an incomplete fix and after they validated it, it took them around 2 month to fix the issue completely.
Timeline
2023/01/25: Reported to Samsung mobile security team
2023/02/07: confirmation of the vulnerability
2023/04/04: Got rewarded
2023/04/27: Patch update pushed / bypass found
2023/04/27: Reported new report
2023/05/25: Confirmation of the vulnerability
2023/09/12: Issue fixed, Got rewarded +1
2023/09/13: Report closed