Samsung spilled SmartThings app source code and secret keys

TechCrunch | 5/8/2019 | Staff
finter (Posted by) Level 4
Click For Photo: https://techcrunch.com/wp-content/uploads/2019/05/GettyImages-838665522.jpg?w=600

A development lab used by Samsung engineers was leaking highly sensitive source code, credentials and secret keys for several internal projects — including its SmartThings platform, a security researcher found.

The electronics giant left dozens of internal coding projects on a GitLab instance hosted on a Samsung-owned domain, Vandev Lab. The instance, used by staff to share and contribute code to various Samsung apps, services and projects, was spilling data because the projects were set to “public” and not properly protected with a password, allowing anyone to look inside at each project, access, and download the source code.

Mossab - Hussein - Security - Researcher - Cybersecurity

Mossab Hussein, a security researcher at Dubai-based cybersecurity firm SpiderSilk who discovered the exposed files, said one project contained credentials that allowed access to the entire AWS account that was being used, including over a hundred S3 storage buckets that contained logs and analytics data.

Many of the folders, he said, contained logs and analytics data for Samsung’s SmartThings and Bixby services, but also several employees’ exposed private GitLab tokens stored in plaintext, which allowed him to gain additional access from 42 public projects to 135 projects, including many private projects.

Samsung - Files - Hussein - Claim - Source

Samsung told him some of the files were for testing but Hussein challenged the claim, saying source code found in the GitLab repository contained the same code as the Android app, published in Google Play on April 10.

The app, which has since been updated, has more than 100 million installs to date.

Token - User - Access - Projects - GitLab

“I had the private token of a user who had full access to all 135 projects on that GitLab,” he said, which could have allowed him to make code changes using a staffer’s own account.

Hussein shared several screenshots and a video of his findings for TechCrunch to examine and verify.

GitLab - Instance - Certificates - Samsung - SmartThings

The exposed GitLab instance also contained private certificates for Samsung’s SmartThings’ iOS and Android apps.

Hussein...
(Excerpt) Read more at: TechCrunch
Wake Up To Breaking News!
I find it extremely funny when people keep voting and expecting the government to change!
Sign In or Register to comment.

Welcome to Long Room!

Where The World Finds Its News!