Security researcher revealed that sensitive information including source code, credentials and secret keys have been made accessible on GitLab.
Mossab Hussein, a security researcher at SpiderSilk, discovered dozens of exposed files and credentials to the entire AWS account that was being used on GitLab.
Many of the files contained logs, analytics data, and the source code for the Samsung smart home ecosystem, SmartThings and Bixby services. The files also contained several employees’ credentials, which had been stored in plaintext. Shockingly Hussein was able to gain access to nearly 135 projects. Samsung internal coding were being exposed on GitLab due to it being configured as public without any password protection – thus meaning that anyone could access them, and download the source code.
Hussein discovered the security breach on April 10, which Samsung responded back saying that some of the exposed files were for testing but Hussein challenged the claim stating that the source code found in GitLab was the same code as the Android app published in Google Play. The app has been installed more than 100 million times to date.
“I had the private token of a user who had full access to all 135 projects on that GitLab,” Hussein said.
What raises concern is that Hussein could have made changes to Samsung code. He stated:
“The real threat lies in the possibility of someone acquiring this level of access to the application source code, and injecting it with malicious code without the company knowing.”
The exposed private keys and token, if dealt with the wrong person, could have caused a “disastrous” problem.
In the days following Hussein disclosing the leak, Samsung began revoking the AWS credentials, but it remains unknown as to whether all the secret keys have been revoked. It wasn’t until April 30 that the company revoked the GitLab keys.
Ilia Kolochenko, founder and CEO of ImmuniWeb emphasised how she wasn’t surprised the leak occurred.
“Unfortunately, today many other large companies unwittingly leak their source codes and other sensitive data via public code repositories, social networks, Pastebin and many other communities on the web.
“Often, the source code contains hardcoded credentials, API keys, detailed information about internal systems like CRM or ERP, let alone intellectual property owned by the organizations. Outsourcing of software development to third parties tremendously exacerbates the problem.”
Samsung has declined to answer questions regarding the leak.
Join our free-to-attend digital event, Last Thursday in Privacy, addressing data protection, privacy and security challenges including working from home, COVID-19, global regulations and more. Visit https://digital.privsec.info/.
We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.
Privacy Culture: Data Privacy and Information Security Consulting, Culture & Behaviour, Training, and GDPR maturity, covered. https://www.privacyculture.com/