Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Privacy Security

Samsung Spilled SmartThings App Source Code, Secret Keys (techcrunch.com) 28

Mossab Hussein, a security researcher at SpiderSilk, has discovered that a development lab used by Samsung engineers was leaking highly sensitive source code, credentials and secret keys for several internal projects -- including its SmartThings platform. TechCrunch reports: The electronics giant left dozens of internal coding projects on a GitLab instance hosted on a Samsung-owned domain, Vandev Lab. The instance, used by staff to share and contribute code to various Samsung apps, services and projects, was spilling data because the projects were set to "public" and not properly protected with a password, allowing anyone to look inside at each project, access and download the source code. Hussein said one project contained credentials that allowed access to the entire AWS account that was being used, including more than 100 S3 storage buckets that contained logs and analytics data.

Many of the folders, he said, contained logs and analytics data for Samsung's SmartThings and Bixby services, but also several employees' exposed private GitLab tokens stored in plaintext, which allowed him to gain additional access from 42 public projects to 135 projects, including many private projects. Samsung told him some of the files were for testing but Hussein challenged the claim, saying source code found in the GitLab repository contained the same code as the Android app, published in Google Play on April 10. The app, which has since been updated, has more than 100 million installs to date.

This discussion has been archived. No new comments can be posted.

Samsung Spilled SmartThings App Source Code, Secret Keys

Comments Filter:
  • Bixby? (Score:5, Funny)

    by tomhath ( 637240 ) on Wednesday May 08, 2019 @07:52PM (#58561552)
    Someone please update the code to make it possible to completely uninstall that stupid thing.
    • by Dunbal ( 464142 ) *
      There's a way to disable it and to disable the stupid button. I hate that fucking thing too. Do some research online it's easy to find.
      • Re:Bixby? (Score:5, Informative)

        by crow ( 16139 ) on Wednesday May 08, 2019 @10:54PM (#58562142) Homepage Journal

        I've followed those steps, and it keeps coming back. Also, to get to the place in the menu to disable it, you have to first create a Samsung account, and then it starts sucking all your stuff in to their servers.

        Thanks to Bixby, I want to get a Pixel phone next time.

    • by mridoni ( 228377 )

      They're halfway there, at least in my case: the only thing the SmartThings app can do with my TV is turn it off (seriously).

  • they need to change "public" to "public internet"

  • by Anonymous Coward

    Nice to know Samsung understands security. *knox on wood*

  • by Anonymous Coward

    1. Don't check credentials into repos
    2. Limit repo access to need to know
    3. Don't leak repos onto the public Internet

    AFAIK, Sony only checked credentials into repos. I speculate though that credentials checked-into repos that were widely available internally were likely used in the break-in, though I have no direct knowledge of that.

    I was working at a Sony Playstation studio for apx 2 years prior to the Sony breakin. (My contact was up a few months prior to the break-in).

    We were starting to experiment with

  • Who would have believed such a thing from a company on fire? And this after the Fold fiasco, that has turned out to be anything but the explosive device that we were all expecting.

As you will see, I told them, in no uncertain terms, to see Figure one. -- Dave "First Strike" Pare

Working...