A security researcher at cybersecurity firm SpiderSilk, Mossab Hussein told TechCrunch that highly sensitive secret keys, source codes, and credentials for several Samsung projects were being leaked via a development lab that was being used by Samsung engineers. Hussein reported the vulnerability to Samsung a month ago, and the tech giant is yet to close the case on the report.
Samsung’s GitLab Error Leads to Data Leakage
Samsung abandoned several in-house coding projects on a GitLab Instance that was hosted on the company’s domain, Vandev Lab. The Instance which was used by the company’s engineers to share and contribute code to numerous Samsung services, apps, and projects was leaking data as the projects lacked password protection. Instead, the projects were set as ‘public,’ enabling anyone to access them and easily download the source codes.
The GitLab contained information on some of the company’s projects including their SmartThings platform. According to the researcher, one project on the GitLab houses the credentials that enable people to access the whole Amazon Web Service account that was used.
Hussein pointed out that most of the folders accommodate the logs and analytics information for the company’s SmartThings and Bixby services. Some of the folders also contain the employee’ owned GitLab tokens which were saved in plaintext. Initially, Hussein gained access to 42 project files. However, with the employee tokens, he was able to access a total of 135 projects, including several private ones.
Samsung told Hussein that some of the files were used for testing. However, the researcher challenged this position, pointing out that the source code available in the GitLab repository has the same code as the SmartThings app Samsung published on Google Play a month ago. Although Samsung updated the app a few days ago, it has already surpassed 100 million installations since it went live.
Samsung Is Handling Their infrastructure Using “Weird Practices”
According to Hussein, attackers having high-level access to the SmartThings source code would be bad as they could integrate malicious code into the app without Samsung knowing about it.
Hussein first reported the vulnerability to Samsung on April 10. A few days afterward, the company started reversing the Amazon Web Service credentials. However, Samsung is yet to close the case on Hussein’s vulnerability report, a month after he disclosed the issue to the company.
Zach Dugan, a spokesperson for Samsung, told TechCrunch that they revoked all the keys and credentials for the platform after Hussein reported the problem to them. Although no evidence suggests any external access had taken place, Samsung is still investigating the situation, the spokesperson added.
TechCrunch posed further questions to the company but received no reply for some specific ones. Samsung has also not provided evidence to show that the development environment was actually for testing, as it claimed.
Hussein, a white-hat hacker, revealed that Samsung’s data leakage was the biggest he has discovered so far. He expressed surprise at Samsung’s practices, stating that he hasn’t seen a company of this magnitude handle their infrastructure using such weird methods.