Last month, it was discovered that a GitLab instance for Vandev Lab, which is owned by Samsung, had not secured its projects with a password. As such, dozens of internal coding projects for various Samsung apps, services, and projects were set to public, which in turn provided further access to Samsung projects, including its popular smart home ecosystem SmartThings.
Without properly securing the projects with a password, it gave anyone the ability to view the source code, download it, or even make changes.
A security researcher from SpiderSilk named Mossab Hussein uncovered the lapse in security on April 10 and reported it to Samsung. In his findings, he had access to the entire AWS account including over a hundred S3 storage buckets containing logs and analytical data.
The logs and analytics covered Samsung products such as SmartThings and Bixby services, as well as several employees' private GitLab tokens in plain text. With the use of these tokens, Hussein was able to access between 45 and 135 public and private projects.
When he contacted Samsung, Hussein was told some of the files were for testing, but he was quick to point out the source code for the current version of the Android SmartThings app was present. The app has been updated since their conversation, however.
The most dangerous part of this access is that, with the GitLab tokens, Hussein could have made changes to Samsung's code. He stated:
The real threat lies in the possibility of someone acquiring this level of access to the application source code, and injecting it with malicious code without the company knowing.
The AWS credentials were revoked a few days after Hussein contacted Samsung, but it hasn't been verified if the secret keys and certificates received similar treatment. As it is now, Samsung still hasn't closed the vulnerability report almost a month after it was first reported. However, when asked for a comment, Zach Dugan, a Samsung spokesman replied:
We quickly revoked all keys and certificates for the reported testing platform and while we have yet to find evidence that any external access occurred, we are currently investigating this further.
According to Hussein, it took until April 30 for the GitLab private keys to be revoked, and he is quoted saying, "I haven't seen a company this big handle their infrastructure using weird practices like that." When TechCrunch asked specific questions about the incident, or for proof it was only for testing environments, Samsung declined.
This is just another example of how proper security practices are becoming more and more important these days as technology finds its way into every aspect of our lives.
We may earn a commission for purchases using our links. Learn more.
Unlocked Galaxy Note 20 Ultra is now receiving the September security patch
The latest September 2020 Android security patch is now rolling out to unlocked Galaxy Note 20 Ultra phones in the U.S. Along with the September 2020 patch, the update also brings improved camera performance and a few other enhancements.
Everything we know (so far) about the Google Pixel 5
We're still months out from Google unveiling the Pixel 5, but that doesn't mean it's too early to speculate what it might offer. Here's everything we know so far!
The ultimate guide to customizing your Android phone
Theming on an Android device is more than just setting a wallpaper and calling it a day. Take a look at some of the widgets, icons, and other elements that go into making your Android your own.
Keep your Samsung Galaxy Tab A protected with these cases
There are a lot of cases for the Galaxy Tab A that aim to keep your device protected while looking good at the same time. We have found the best options that money can buy while keeping the Tab A safe from life.