A security researcher has revealed that a whole load of sensitive information has been inadvertently made accessible to the public on GitLab. Nothing so unusual about that you might think. However, the information concerned included source code, credentials and secret keys for various projects. Still nothing too out of the ordinary you say? Here's the thing, the Vandev Lab Gitlab instance in question was one used by Samsung staff to work on code for various projects including the SmartThings and Bixby platforms.
Mossab Hussein, a security researcher with cybersecurity outfit SpiderSilk, discovered that dozens of Samsung internal coding projects were being exposed on GitLab thanks to being erroneously configured as public without any password protection. Which meant that anyone could access them, and here's the real security shocker, download the source code. Including, Hussein says, source code for the Samsung smart home ecosystem platform known as SmartThings and private certificates for both the Android and iOS SmartThings app.
Zack Whittaker broke the story and reports how many of the folders "contained logs and analytics data for Samsung's SmartThings and Bixby services, but also several employees' exposed private GitLab tokens stored in plaintext." Whittaker says that Hussein shared "several screenshots" as well as video footage in order to verify his findings. The SmartThings app has been downloaded and installed from Google Play more than 100 million times. That app has now been updated by Samsung, but Hussein says that he had the private token of a user with "full access to all 135 projects on that GitLab." In other words, the keys to the Samsung code kingdom had he used this to access the account of that staff member. This is serious stuff because, armed with that level of access, the potential was there for a malicious actor to inject malicious code right into a major app such as SmartThings.
Recapitulation of 2018
Samsung has revoked the Amazon Web Services (AWS) credentials following Hussein's disclosure to them on April 10, although Whittaker says that vulnerability report has still not been closed by Samsung which suggests there is possibly still remediation work to be done. In a statement to TechCrunch, a Samsung spokesperson said that "we have yet to find evidence that any external access occurred" but Samsung is "currently investigating this further."
Ilia Kolochenko, founder of web security vendor ImmuniWeb, says that many large enterprises unwittingly leak source code through not only public code repositories but also social networks, Pastebin and other communities on the web. "Often, the source code contains hardcoded credentials and API keys," Kolochenko says, "let alone intellectual property owned by the organizations." He blames the outsourcing of software development to third parties for exacerbating the problem. "Remote developers may recklessly share, send and store your source code without any protection or care," Kolochenko warns, "cybercriminals glean leaked data from public websites, frequently securing a windfall."
On this occasion, as far as we know, Samsung got lucky and plugged the leaks before malicious actors found out. Some might argue more by luck than judgement…