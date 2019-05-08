Last month, it was discovered that a GitLab instance for Vandev Lab, which is owned by Samsung, had not secured its projects with a password. As such, dozens of internal coding projects for various Samsung apps, services, and projects were set to public, which in turn provided further access to Samsung projects, including its popular smart home ecosystem SmartThings.

Without properly securing the projects with a password, it gave anyone the ability to view the source code, download it, or even make changes.

A security researcher from SpiderSilk named Mossab Hussein uncovered the lapse in security on April 10 and reported it to Samsung. In his findings, he had access to the entire AWS account including over a hundred S3 storage buckets containing logs and analytical data.

The logs and analytics covered Samsung products such as SmartThings and Bixby services, as well as several employees' private GitLab tokens in plain text. With the use of these tokens, Hussein was able to access between 45 and 135 public and private projects.