According to a security researcher Mossab Hussein, Samsung was leaking sensitive data – credentials, source code and secret keys for several important projects. The company had unknowingly given “public” access to the critical files in its development lab on GitLab and was even not protected with a password.
The exposed data contained credentials for the Amazon Web services account being used for the development of Samsung services. It revealed 100 S3 storage buckets attached to the same AWS account containing analytics and logs data. Employees’ GitLab access tokens are also part of the sensitive data that was discovered. The security researcher gained access to various public and private projects with the access tokens, increasing the exposed project count from 43 to 135. “I had the private token of a user who had full access to all 135 projects on that GitLab,” claims Mossab Hussein.
Majority of the publicly visible files contained data related to Samsung’s SmartThings and Bixby services. He further reveals that it could have been “disastrous” if any bad actor manipulated the code.
Samsung hosts multiple projects on the Vandev Lab – a Samsung hosted GitLab repository for development purposes. The same repository holds projects like Samsung’s SmartThings platform and Bixby services.
However, Samsung has now revoked the access of all the keys and credentials on the testing platform. The company is further investigating to find evidence for any external access.
(source)
