Last month, it was discovered that a GitLab instance for Vandev Lab, which is owned by Samsung, had not secured its projects with a password. As such, dozens of internal coding projects for various Samsung apps, services, and projects were set to public, which in turn provided further access to Samsung projects, including its popular smart home ecosystem SmartThings.
Without properly securing the projects with a password, it gave anyone the ability to view the source code, download it, or even make changes.
A security researcher from SpiderSilk named Mossab Hussein uncovered the lapse in security on April 10 and reported it to Samsung. In his findings, he had access to the entire AWS account including over a hundred S3 storage buckets containing logs and analytical data.
The logs and analytics covered Samsung products such as SmartThings and Bixby services, as well as several employees' private GitLab tokens in plain text. With the use of these tokens, Hussein was able to access between 45 and 135 public and private projects.
When he contacted Samsung, Hussein was told some of the files were for testing, but he was quick to point out the source code for the current version of the Android SmartThings app was present. The app has been updated since their conversation, however.
The most dangerous part of this access is that, with the GitLab tokens, Hussein could have made changes to Samsung's code. He stated:
The real threat lies in the possibility of someone acquiring this level of access to the application source code, and injecting it with malicious code without the company knowing.
The AWS credentials were revoked a few days after Hussein contacted Samsung, but it hasn't been verified if the secret keys and certificates received similar treatment. As it is now, Samsung still hasn't closed the vulnerability report almost a month after it was first reported. However, when asked for a comment, Zach Dugan, a Samsung spokesman replied:
We quickly revoked all keys and certificates for the reported testing platform and while we have yet to find evidence that any external access occurred, we are currently investigating this further.
According to Hussein, it took until April 30 for the GitLab private keys to be revoked, and he is quoted saying, "I haven't seen a company this big handle their infrastructure using weird practices like that." When TechCrunch asked specific questions about the incident, or for proof it was only for testing environments, Samsung declined.
This is just another example of how proper security practices are becoming more and more important these days as technology finds its way into every aspect of our lives.
We may earn a commission for purchases using our links. Learn more.
A closer look at Android running on the Microsoft Surface Duo (video)
Microsoft's Surface Duo is coming soon, and the company has been working hard on finalizing the version of Android that will be shipping on Surface Duo later this year. Microsoft has released several emulator builds over the last few months, with each one progressing with new changes, bug fixes, and overall polish. Let's go hands-on with the latest build!
June 2020's most downloaded PS4 game was The Last of Us Part 2
The Last of Us Part 2 was the most downloaded PS4 game in June 2020. Previously, Naughty Dog had shared that sales of the game crossed 4 million copies sold in its first three days.
The Snapdragon 865+ comes with one awesome new feature: Wi-Fi 6E
We all love better performance and better gaming, but the new Snapdragon 865+ has that one more thing and it's a huge improvement: Wi-Fi 6E support.
Expand the Note 10+ storage with one of these microSD cards
Samsung has unveiled the Galaxy Note 10+ which includes a microSD card slot, despite a base storage option of 256GB. We have compiled a list of the best microSD cards for your new Galaxy Note 10+.