CVE-2023-30674

Vulnerability

Samsung Internet prior to version 21.0.0.41 contains an improper configuration vulnerability in its handling of SameSite cookies. The SameSite attribute is a security mechanism that restricts when cookies are sent with cross-origin requests. Due to misconfiguration, the browser fails to enforce this restriction properly, leaving cookies with a SameSite setting unprotected against cross-site request forgery (CSRF) attacks. The issue affects all versions of Samsung Internet before 21.0.0.41 [1].

Exploitation

An attacker can exploit this vulnerability without authentication or special privileges, requiring only that the victim visits a malicious website or clicks a crafted link while using the vulnerable browser. The attacker crafts a cross-origin request (e.g., via a form submission or image tag) targeting a site the victim is authenticated with. Because the browser misconfigures the SameSite cookie check, the victim's session cookie is included in the cross-origin request, enabling the attacker to perform actions on behalf of the victim [1].

Impact

Successful exploitation allows an attacker to bypass the browser's SameSite cookie enforcement, leading to unauthorized access to web applications that rely on SameSite for CSRF protection. The attacker can perform actions (e.g., changing account details, transferring funds) on the vulnerable web application as the authenticated victim, resulting in potential data breach, financial loss, or account takeover [1].

Mitigation

Users should update Samsung Internet to version 21.0.0.41 or later, which fixes the improper configuration. The vendor published the security update in July 2023. No workaround is available; applying the update is the only mitigation [1].