This is exploitable – tampering with CNN for Samsung Edge Panel

A humble first for a small series on leaky and vulnerable apps

The Samsung-exclusive app CNN for Samsung Edge Panel, exists to enable users to get the latest news as an edge-panel. To do this it uses HTTP to get sections, images, headlines, links to articles and report metrics back to CNN. This means that, on an insecure or untrusted network, it’s this possible for a third-party (someone not CNN or the user) to find out how, if and when the app is used, which categories the user is interested in, if they want the US or international version, details about the device, details about the service-provider, the possibility to log or replace any image shown in the app, as well as any title or article link.

The included PoC uses mitmdump and python to extract received telemetry and modify content, replacing headlines, images, and links. While the PoC could use HTTP 301 to move the section-definitions to a third-party server, this has intentionally not been done, in order to ensure it’s easily reversible. As of writing, this exploit works with the most up to date version of the app.

Proof of Concept

Source: Github
Requirements: mitmproxy 4.0.4 installed on the PC (pip install -r requirements.txt), CNN for Samsung Edge Panel (1.0.rc39) installed on the Samsung mobile device (available in the Galaxy Store)

Only tested with Python 3.6.5 on Ubuntu 18.04.1


1. On the test PC run: mitmdump -s cnn-edge-panel-01/src/demo.py --anticomp --anticache --ignore :443$
2. On the Samsung mobile device: set the test PC as the HTTP proxy of the device
3. (not necessary) On the Samsung mobile device: open a browser and go to a website, if you see “… clientconnect” or “GET …” in the window mitmdump terminal, things should be working
4. Open the CNN for Samsung Edge Panel app. If the PoC works, you should see all categories being renamed “Hacking”, and all the news being replaced with jokes. Pressing “Hack all the things”, should then open a YouTube video. Additionally, the terminal should have at least one line reading “Got metrics …”, config.outturner.com, metrics.cnn.com, and compositor.api.cnn.com.

Depending on caching, you might experience that the sections retain their unmodified names if this happens but the headlines and such changed, the app didn’t reload edge-config.json but did reload the section. As of writing, it appears edge-config.json has been 404ed.

Expected behavior

  1. HTTPS, not HTTP being used in the app, HTTP 301, HSTS on compositor.api.cnn.com
  2. edge-config.json only lists HTTPS URLs
  3. edgepanelkill.json only lists HTTPS URLs

Timeline

  • 2018-09-11 Issue reported to Samsung
  • 2018-09-14 Samsung dismisses issue (not a Samsung app)
  • 2018-09-14 Issue reported to CNN
  • 2018-10-06 Issue reported to CNN
  • 2018-12-16 Report publishe