SENSITIVE SOURCE CODE has been leaked by Samsung thanks to being stored on a GitLab repository that was set to public access and not password-protected.
This gaffe, according to TechCrunch, not only exposed files relating to projects Samsung engineers are working on, including its Bixby virtual assistant and the SmartThings platform, but also the GitLab tokens of several of its employees; those could provide deeper access to the GitLab stored stuff, including some projects marked as private.
Mossab Hussein, a security researcher at cybersecurity firm SpiderSilk, discovered the exposed files and noted that one project exposed the credentials needed to access the entire Amazon Web Services account being used with the project, which included more than 100 S3 storage buckets filled with analytics data and logs.
Had Hussein ben a hacker rather than a security researcher, he could have caused a lot of problems for Samsung.
"I had the private token of a user who had full access to all 135 projects on that GitLab," he said, noting that the access could have allowed him to make code changes using the Samsung worker's account.
The unsecured GitLab instance also had private certificates for the iOS and Android version of the SmartThings app, as well as internal Samsung documents and slide shows.
Hussein flagged the security borkage to Samsung on 10 April, which responded by revoking the AWS credentials, but it's not known if the GitLab tokens and certificates were revoked.
"Recently, an individual security researcher reported a vulnerability through our security rewards program regarding one of our testing platforms," a Samsung spokesperson told TechCrunch when reached prior to publication.
"We quickly revoked all keys and certificates for the reported testing platform and while we have yet to find evidence that any external access occurred, we are currently investigating this further."
This could have gone very badly for Samsung, especially when corporate secrets and R&D are juicy titbits for hackers and corporate spies.
Samsung already has plenty to worry about given the problems with its Galaxy Fold phone. But in this case, the problem could have been prevented with some sensible configuration and protection of the GitLab instance; we guess everyone makes mistakes sometimes, including international electronics giants. µ
But it might never see the light of a PC bay
It's nothing we haven't seen before, but it's still the best iPhone yet
Firm gives scanner flaw the finger
Ermine is the same but stoat-ally different