Samsung lock screen flaw found; company working on fix

The flaw requires several steps to work, but would let someone run and interact with any app or widget, and access the settings menu.

A security researcher has revealed a method for accessing applications running on a locked Samsung handset.

The flaw is somewhat similar to one that was revealed by another researcher earlier this year on iPhones. On a Samsung handset, users can, from the lock screen, pretend to dial an emergency services number, quickly dismiss it, and with some sleight of hand, quickly gain access to any app or widget, or the settings menu in the device. The dialer can also be launched, allowing the "hacker" to place a call.

According to Terence Eden, who discovered the flaw and posted a video on YouTube showing it in action, the technique is only possible on Samsung's Android version, and not on the stock Android option that Google launches. Eden has only tested the feature on a Galaxy Note 2 running Android 4.1.2, but believes it should work on other Samsung handsets.

Eden says that he contacted Samsung in February about the flaw and the company told him that it is working on a fix. Eden offered to delay publication of the flaw until Samsung had a fix, but the company "declined this offer."

Similar flaws have been spotted that affect that Galaxy S3 and the Galaxy Note 2.

"I have discovered another security flaw in Samsung Android phones," Eden said in his blog post today. "It is possible to completely disable the lock screen and get access to any app -- even when the phone is 'securely' locked with a pattern, PIN, password, or face detection. Unlike another recently released flaw, this doesn't rely quite so heavily on ultra-precise timing."

Eden's discovery follows a similar flaw that allowed iOS 6.1 hackers to place calls and access the phone app in Apple's software. That also required users to take advantage of the emergency-calling feature. Yesterday, Apple released iOS 6.1.3, which included a fix for the lock screen bug.

CNET has contacted Samsung for comment on the flaw. We will update this story when we have more information.

(Via Slashgear)