How I Found an HTML Injection in Email Vulnerability on Samsung, Leading to a $$$$ Payday

Greetings researchers,

I am Taha Diwan with IZYITS, and I would like to share with you my discovery of an HTML Injection in Email vulnerability on Samsung.

HTML Injection is a security vulnerability that occurs when an attacker is able to inject malicious HTML code into a web application or email system. In the context of email, this vulnerability allows an attacker to inject arbitrary HTML tags into the email body, which can then be displayed by the email client when viewed by the recipient.

Input is unsanitized and vulnerable to html injection which may lead to phishing attack. As HTML injection works in email, attacker may trick the victim to click on hyperlinks and redirect them to malicious site.

Using Dorking techniques, I started searching for Samsung subdomains.

dork used — inurl:*.*.Samsung.com inurl: community.

Then, I came across Samsung Community’s domain “us.community.samsung.com”, and I began manual penetration testing there.

Then I noticed a message functionality, so I clicked on it and found the inbox feature.

Instantly, I created another account as a victim and logged into Samsung Community. Then, using my main account, I sent a message to the victim account.

And these inbox feature allowed users to send private messages that would appear in both Gmail and the Samsung Community portal.

Taking advantage of this, I initially inserted a normal HTML malicious payload into the message body and sent it to the victim. However, the payload appeared as same payload.

Then I intercepted the message using the Burp Suite tool, modified the message with malicious payload, and sent the message again, but unfortunately, it still didn’t render properly.

Here’s what happened:

The original request sent the message in this encoded format: %3Cp%3Etest%3C%2Fp%3E

When I attempted to replace this with an HTML Injection payload like:

payload :

I received an error: “Correct the highlighted errors and try again. Your post has been changed because invalid HTML was found in the message body. The invalid HTML has been removed. Please review the message and send the message when you are satisfied.”

This indicated that Samsung’s system was detecting and blocking the request due to the invalid HTML.

To bypass this, I modified the payload by adding a “+” symbol in the HTML tags. The final payload looked like this:

I intercepted the message once again, modified the original message with these modified malicious payload.

When I visited the victim’s account, Boom payload successfully rendered

When a victim click on that Image he will be redirect to attackers malicious domain.

Additionally, the message box feature allows users to search for others by their username, which are publicly available. An attacker could easily target specific users for malicious activity, such as sending phishing messages or injecting harmful HTML payloads.

I immediately reported this to Samsung.

Shortly after, I received confirmation from their team stating, “We confirmed the vulnerability from your finding and concluded the severity of the vulnerability is Moderate.” This acknowledgment indicated that Samsung accepted my vulnerability report.

After some time, I received a follow-up email confirming the related bounty payment $$$$ for my contribution.

POC:

Hall of Fame : Samsung acknowledged my findings by including my name in their Hall of Fame.

Appreciation: Samsung expressed their gratitude with a Appreciation letter, recognizing my commitment to responsible disclosure.

A few days later, I reported the same vulnerability and bypass method on another domain of Samsung, and unfortunately, that report was also accepted as a valid bug.

My experience with the HTML Injection in Email vulnerability at Samsung emphasizes the importance of collaboration, and I’m thankful for the recognition and support received.

Thanks for reading, and I hope you found my write-up informative.

Happy hunting, and remember to test responsibly!