CVE-2017-18680

Vulnerability

The lockscreen interface on Samsung mobile devices running Android L (5.0/5.1) and M (6.0) for tablets exposes the Add User action. This action should be restricted when the device is locked, but it remains accessible, allowing an unintended ability to access user data stored on external storage. The affected versions are L(5.0/5.1) and M(6.0) tablets.

Exploitation

An attacker with physical access to the device can use the lockscreen Add User feature to create a new user account. Once the new user is created, they can navigate to external storage (e.g., an SD card) and access data belonging to the original user. No authentication or additional privileges are required beyond the lockscreen access.

Impact

Successful exploitation results in unauthorized disclosure of user data stored on external storage. The attacker gains read access to files that may include personal information, media, or other sensitive content. The compromise is limited to external storage; internal storage remains protected by the lockscreen.

Mitigation

Samsung addressed this issue in a security update released in March 2017, identified by SVE-2016-7797. Users should update their devices to the latest firmware to receive the fix. No workarounds are documented for unpatched devices.