Last month, it was discovered that a GitLab instance for Vandev Lab, which is owned by Samsung, had not secured its projects with a password. As such, dozens of internal coding projects for various Samsung apps, services, and projects were set to public, which in turn provided further access to Samsung projects, including its popular smart home ecosystem SmartThings.
Without properly securing the projects with a password, it gave anyone the ability to view the source code, download it, or even make changes.
A security researcher from SpiderSilk named Mossab Hussein uncovered the lapse in security on April 10 and reported it to Samsung. In his findings, he had access to the entire AWS account including over a hundred S3 storage buckets containing logs and analytical data.
The logs and analytics covered Samsung products such as SmartThings and Bixby services, as well as several employees' private GitLab tokens in plain text. With the use of these tokens, Hussein was able to access between 45 and 135 public and private projects.
When he contacted Samsung, Hussein was told some of the files were for testing, but he was quick to point out the source code for the current version of the Android SmartThings app was present. The app has been updated since their conversation, however.
The most dangerous part of this access is that, with the GitLab tokens, Hussein could have made changes to Samsung's code. He stated:
The real threat lies in the possibility of someone acquiring this level of access to the application source code, and injecting it with malicious code without the company knowing.
The AWS credentials were revoked a few days after Hussein contacted Samsung, but it hasn't been verified if the secret keys and certificates received similar treatment. As it is now, Samsung still hasn't closed the vulnerability report almost a month after it was first reported. However, when asked for a comment, Zach Dugan, a Samsung spokesman replied:
We quickly revoked all keys and certificates for the reported testing platform and while we have yet to find evidence that any external access occurred, we are currently investigating this further.
According to Hussein, it took until April 30 for the GitLab private keys to be revoked, and he is quoted saying, "I haven't seen a company this big handle their infrastructure using weird practices like that." When TechCrunch asked specific questions about the incident, or for proof it was only for testing environments, Samsung declined.
This is just another example of how proper security practices are becoming more and more important these days as technology finds its way into every aspect of our lives.
We may earn a commission for purchases using our links. Learn more.
Watch all your favorite Hallmark Christmas movies for just $10 — here's how
Hallmark movies are a staple of any Christmas tradition. Whether you want to binge those or anything else you can think of, this $10 Black Friday deal for a month of Philo is a streaming offer you can't ignore.
Why you should use a monitor arm for better productivity and posture
Get your monitor up off of your desk! Your neck and eyes will thank you and you'll be able to go for that minimalistic look or just have more desktop space to fill up.
Keep your phone charged 24/7 with this $15 battery pack Black Friday deal
From more convenient charging at home or on-the-go, there's no denying the importance of a portable charger. This one from Mophie is down to a seriously low $15 price for Black Friday.
These motion sensors are perfect for Samsung SmartThings
We've compiled a list of SmartThings motion sensors that won't give you any headaches.