A security researcher at a Dubai-based cybersecurity firm SpiderSilk discovered a development lab used by Samsung engineers was leaking highly sensitive source code, credentials and secret keys for several internal projects — including its SmartThings platform.
The researcher, Mossab Hussein, found Samsung engineers had left dozens of internal coding projects on a GitLab instance hosted on a Samsung-owned domain.
The platform was used by staff to share and contribute code to various Samsung apps, services and projects and contained logs and analytics data for Samsung’s SmartThings and Bixby services, but also several employees’ exposed private GitLab tokens stored in plaintext, which allowed the researcher to gain additional access from as many as 135 projects, including many private projects.
Hussein reported the issue to Samsung on April 10, 2019, and said Samsung took until April 30 to revoke the GitLab private keys although it did immediately begin revoking the AWS credentials. But it’s not known if the remaining secret keys and certificates were revoked, the researcher told TechCrunch.
“I had the private token of a user who had full access to all 135 projects on that GitLab,” he said, which could have allowed him to make code changes using a staffer’s own account and one project contained credentials that allowed access to the entire AWS account that was being used, including more than 100 S3 storage buckets that contained logs and analytics data.
The real threat however, came from the threat of a malicious attacker being able to inject malicious code into one of the projects without Samsung knowing.
Samsung told Hussein some of the files were for testing but Hussein challenged the claim, saying source code found in the GitLab repository contained the same code as the Android app, published in Google Play on April 10, according to the publication. The app has since been updated.
“Recently, an individual security researcher reported a vulnerability through our security rewards program regarding one of our testing platforms,” a Samsung spokesperson told SC Media. “We quickly revoked all keys and certificates for the reported testing platform and while we have yet to find evidence that any external access occurred, we are currently investigating this further.”
Ilia Kolochenko, founder and CEO of ImmuniWeb, told SC Media the finding wasn’t surprising.
“Unfortunately, today many other large companies unwittingly leak their source codes and other sensitive data via public code repositories, social networks, Pastebin and many other communities on the web,” Kolochenko said. “Often, the source code contains hardcoded credentials, API keys, detailed information about internal systems like CRM or ERP, let alone intellectual property owned by the organizations. Outsourcing of software development to third parties tremendously exacerbates the problem.”
In addition remote developers may recklessly share, send and store your source code without any protection or care. These actions make it easy for cybercriminals to simply glean information leaked from public websites ultimately, sabotaging growing investments into cybersecurity by using insecure software development processes.
UPDATE: This story has been updated to include comments from Samsung.
