December 16, 2019 News Magazine

Samsung spilled SmartThings app source code and secret keys

A development lab used by Samsung engineers was leaking highly sensitive source code, credentials and secret keys for several internal projects — including its SmartThings platform, a security researcher found.

The electronics giant left dozens of internal coding projects on a GitLab instance hosted on a Samsung-owned domain, Vandev Lab. The instance, used by staff to share and contribute code to various Samsung apps, services and projects, was spilling data because the projects were set to “public” and not properly protected with a password, allowing anyone to look inside at each project, access, and download the source code.

Mossab Hussein, a security researcher at Dubai-based cybersecurity firm SpiderSilk who discovered the exposed files, said one project contained credentials that allowed access to the entire AWS account that was being used, including over a hundred S3 storage buckets that contained logs and analytics data.

Many of the folders, he said, contained logs and analytics data for Samsung’s SmartThings and Bixby services, but also several employees’ exposed private GitLab tokens stored in plaintext, which allowed him to gain additional access from 42 public projects to 135 projects, including many private projects.

Samsung told him some of the files were for testing but Hussein challenged the claim, saying source code found in the GitLab repository contained the same code as the Android app, published in Google Play on April 10.

The app, which has since been updated, has more than 100 million installs to date.

“I had the private token of a user who had full access to all 135 projects on that GitLab,” he said, which could have allowed him to make code changes using a staffer’s own account.

Hussein shared several screenshots and a video of his findings for TechCrunch to examine and verify.

The exposed GitLab instance also contained private certificates for Samsung’s SmartThings’ iOS and Android apps.

Hussein also found several internal documents and slideshows among the exposed files.

“The real threat lies in the possibility of someone acquiring this level of access to the application source code, and injecting it with malicious code without the company knowing,” he said.

Through exposed private keys and tokens, Hussein documented a vast amount of access that if obtained by a malicious actor could have been “disastrous,” he said.

A screenshot of the exposed AWS credentials, allowing access to buckets with GitLab private tokens. (Image: supplied).

Hussein, a white-hat hacker and data breach discoverer, reported the findings to Samsung on April 10. In the days following, Samsung began revoking the AWS credentials but it’s not known if the remaining secret keys and certificates were revoked.

Samsung still hasn’t closed the case on Hussein’s vulnerability report, close to a month after he first disclosed the issue.

“Recently, an individual security researcher reported a vulnerability through our security rewards program regarding one of our testing platforms,” Samsung spokesperson Zach Dugan told TechCrunch when reached prior to publication. “We quickly revoked all keys and certificates for the reported testing platform and while we have yet to find evidence that any external access occurred, we are currently investigating this further.”

Hussein said Samsung took until April 30 to revoke the GitLab private keys. Samsung also declined to answer specific questions we had and provided no evidence that the Samsung-owned development environment was for testing.

Hussein is no stranger to reporting security vulnerabilities. He recently disclosed a vulnerable back-end database at Blind, an anonymous social networking site popular among Silicon Valley employees — and found a server leaking a rolling list of user passwords for scientific journal giant Elsevier.

Samsung’s data leak, he said, was his biggest find to date.

“I haven’t seen a company this big handle their infrastructure using weird practices like that,” he said.

Read more:


Source: TechCrunch

Tags: in Uncategorized
Banner
Related Posts

Uber Eats, micromobility services are growing faster than Uber’s core ride-hailing business

May 30, 2019

May 30, 2019

Uber’s ride-hailing business is growing more slowly than its newer bets. In Uber’s Q1 2019 earnings, the company reported gross...

Firefox for iOS gets persistent private browsing tabs

February 14, 2019

February 14, 2019

Firefox for iOS is getting an update today that brings a new layout for its menu and settings, as well...

13 ways to screw over your internet provider

September 2, 2019

September 2, 2019

Internet providers are real bastards: they have captive audiences whom they squeeze for every last penny while they fight against...

Carbon’s next partnership is a 3D-printed bike seat from Specialized

August 27, 2019

August 27, 2019

Carbon has been a kind of shining beacon in the world of 3D printing. In June, the company raised $260...

Nintendo’s Labo: VR Kit is not Virtual Boy 2.0

March 22, 2019

March 22, 2019

Even the most successful tech company is going to have a stumble from time to time. Nintendo’s 45 years in...

The $35,000 Tesla Model 3 has arrived — but there’s a cost

February 28, 2019

February 28, 2019

The long-awaited $35,000 Tesla Model 3 has finally arrived, three years after CEO Elon Musk promised to bring the electric...

The state of the smartphone

May 17, 2019

May 17, 2019

Earlier this month, Canalys used the word “freefall” to describe its latest reporting. Global shipments fell 6.8% year over year....

Microsoft adds an extra security layer to its OneDrive storage service

June 25, 2019

June 25, 2019

Microsoft today announced OneDrive Personal Vault, a new security layer on top of its OneDrive online file storage service that...

On #IWD2019, Safe & The City launches their new app for women’s safety

March 8, 2019

March 8, 2019

It’s International Women’s Day today, but sadly the world remains far more unsafe for women than men. Every day, all...

India shuts down internet once again, this time in Assam and Meghalaya

December 13, 2019

December 13, 2019

India maintained a shutdown of the internet in the states of Assam and Meghalaya on Friday, now into 36 hours,...

Here’s how you’ll access Google’s Stadia cloud gaming service

March 19, 2019

March 19, 2019

Google isn’t launching a gaming console. The company is launching a service instead, Stadia. You’ll be able to run a...

Facebook SDK bug crashes apps like Timehop

June 28, 2019

June 28, 2019

A malfunction in Facebook’s Software Development Kit that lets apps add Login With Facebook, sharing, and other features is causing...

Tencent replaces hit mobile game PUBG with a Chinese government-friendly alternative

May 8, 2019

May 8, 2019

China’s new rules on video games, introduced last month, are having an effect on the country’s gamers. Today, Tencent replaced...

This robotic arm slows down to avoid the uncanny valley

November 7, 2019

November 7, 2019

Robotic arms can move fast enough to snatch thrown objects right out of the air… but should they? Not unless...

Mars helicopter bound for the Red Planet takes to the air for the first time

March 28, 2019

March 28, 2019

The Mars 2020 mission is on track for launch next year, and nesting inside the high-tech new rover heading that...

Comments
Leave a Reply

Your email address will not be published. Required fields are marked *