Samsung leaks confidential source code and private keys by mistake

Web application security course specialists have revealed that a large amount of confidential information has been exposed to the public on an undue basis in GitLab; according to the experts, the compromised information includes source code, access credentials and confidential keys for several private projects. One of the compromised implementations has been used by Samsung personnel to work on the code of some of the company’s projects, such as Samsung SmartThings.

After the web application security course experts’ investigation, dozens of Samsung internal coding projects were discovered in GitLab due to an erroneous security configuration (they were not password protected).

This means that anyone could access them and even download the source code of SmartThings, the platform for smarthome developed by Samsung and the private certificates for the implementation of SmartThings on iOS and Android.

According to experts, many of the exposed folders stored records and analytical data for Samsung’s SmartThings and Bixby services, as well as the private GitLab tokens of multiple employees stored in plain text.

The SmartThings application has been downloaded and installed only from Google Play more than 100 million times; The company has updated the app regularly, but specialists claim that a Samsung developer token could grant access to 130 Samsung’s projects at GitLab.

On the other hand, the company has revoked the credentials of Amazon Web Services (AWS) after the web application security course experts finished their investigation. Samsung has not yet closed the case, which means that they may not yet have completed cyber security incident recovery process.

According to the experts from the International Institute of Cyber Security (IICS), there are few companies that, by mistake, come to leak confidential material, such as source code or private keys, through platforms for software developers. For many experts, a fundamental part of this problem is the outsourced services, which can commit multiple security omissions in their routine work.