Last month, it was discovered that a GitLab instance for Vandev Lab, which is owned by Samsung, had not secured its projects with a password. As such, dozens of internal coding projects for various Samsung apps, services, and projects were set to public, which in turn provided further access to Samsung projects, including its popular smart home ecosystem SmartThings.
Without properly securing the projects with a password, it gave anyone the ability to view the source code, download it, or even make changes.
A security researcher from SpiderSilk named Mossab Hussein uncovered the lapse in security on April 10 and reported it to Samsung. In his findings, he had access to the entire AWS account including over a hundred S3 storage buckets containing logs and analytical data.
The logs and analytics covered Samsung products such as SmartThings and Bixby services, as well as several employees' private GitLab tokens in plain text. With the use of these tokens, Hussein was able to access between 45 and 135 public and private projects.
When he contacted Samsung, Hussein was told some of the files were for testing, but he was quick to point out the source code for the current version of the Android SmartThings app was present. The app has been updated since their conversation, however.
The most dangerous part of this access is that, with the GitLab tokens, Hussein could have made changes to Samsung's code. He stated:
The real threat lies in the possibility of someone acquiring this level of access to the application source code, and injecting it with malicious code without the company knowing.
The AWS credentials were revoked a few days after Hussein contacted Samsung, but it hasn't been verified if the secret keys and certificates received similar treatment. As it is now, Samsung still hasn't closed the vulnerability report almost a month after it was first reported. However, when asked for a comment, Zach Dugan, a Samsung spokesman replied:
We quickly revoked all keys and certificates for the reported testing platform and while we have yet to find evidence that any external access occurred, we are currently investigating this further.
According to Hussein, it took until April 30 for the GitLab private keys to be revoked, and he is quoted saying, "I haven't seen a company this big handle their infrastructure using weird practices like that." When TechCrunch asked specific questions about the incident, or for proof it was only for testing environments, Samsung declined.
This is just another example of how proper security practices are becoming more and more important these days as technology finds its way into every aspect of our lives.
We may earn a commission for purchases using our links. Learn more.
The 'Super Pink Moon' is tonight — here's how to take pictures of it
On April 7, 2020, the stunning Super Pink Moon will make an appearance in the night sky. Here's how to take an incredible photo of it!
These are the best games for your Android phone
We're rounding up the best games, free and premium, you should be playing today.
Daily Coronavirus updates: Microsoft extends remote work guidelines
COVID-19 has already infected over 1.3 million people globally and caused over 76,500 fatalities. Here are all the ways the coronavirus is affecting the world.
Pair a smart bulb with a SmartThings hub and never look back
Not all smart lights are created equal. Thankfully, SmartThings has the ability to work with an extremely wide variety of smart bulbs, leaving you a lot of options.