News

Source code Samsung SmartThings and other sensitive data was accessible

By admin
Spread the love

A security researcher has discovered that source code from internal Samsung projects including SmartThings was publicly available. He was able to access the data because a GitLab instance was used with the projects set to ‘public’.

Security Investigator Mossab Hussein tells his story to TechCrunch. Hussein discovered that developers working for Samsung were using a GitLab instance on a domain owned by the Korean manufacturer. The dozens of projects on it were publicly accessible and not protected by a password. Anyone with the url could view the projects and download the source code.

According to Hussein, there were AWS account credentials in one of the projects. This enabled him to view more than a hundred S3 storage buckets containing logs and analytical data. This included data for Samsung’s SmartThings applications and Bixby services. He also found GitLab tokens from various contributors, which were stored in plain text. This gave him access to a total of 135 projects.

Samsung allegedly told Hussein that the files were test files, but the security researcher says the SmartThings source code he found on GitLab matches the code of the Android app on the Google Play Store. Hussein also says he could have made changes to the code with the rights he obtained.

Hussein also had access to certificates for SmartThings’ iOS and Android apps. He also found several internal documents and slideshows. The researcher notes that it is possible that someone has had such access and made changes to the source code without Samsung’s knowledge.

On April 10, Hussein informed Samsung of his findings. The manufacturer then began revocation of the AWS credentials. According to Hussein, it took until April 30 for Samsung to revoke all private keys that gave him access to GitLab projects.

In a response to TechCrunch, Samsung says the company has quickly withdrawn all keys and certificates on the test platform. Samsung says it has found no evidence that others have had access to the data, but that is still under investigation.

You might also like
News

Google is serious about ending passwords: ‘passkeys’ are becoming the…

News

Rumor: Apple is working on its own applications based on a large language model

News

EU Council determines position on security requirements for digital products

News

Samsung develops first GDDR7 chips, mentions bandwidths of up to 32Gbit/s per pin

News

Microsoft announces Bing Chat Enterprise and Copilot pricing for businesses

News

Meta introduces open source language model Llama 2, works on PCs and phones