It seems that Samsung has suffered the loss of sensitive source code, credentials and secret keys for various internal projects. According to TechCrunch, the independent security researcher Mossab Hussein has discovered dozens of files displayed in a GitLab used by Samsung engineers and hosted in a domain owned by the company.
The exposed files contained source code for projects such as the SmartThings platform and services related to the Bixby voice assistant, credentials that provided access to the Amazon Web service account and GitLab tokens from different employees.
By me @Forbes: Massive Samsung security faux pas exposes credentials and source code online. Kudos to @mossab_hussein (research,) @zackwhittaker (the story) and Ilia Kolochenko @immuniweb (comments.) #Samsung #infosecurity #dataleakhttps://t.co/cMcCQuYL8N
— Davey Winder (@happygeek) May 9, 2019
A Samsung spokesman said the Korean giant quickly “revoked” all the keys and certificates for the platform. Hussein, however, claims to have alerted Samsung on April 10 and that the company did not revoke GitLab keys until April 30th. He always says that the real threat is that someone can gain this level of access to the application’s source code and add malware without the company knowing about it.
Hussein is no stranger to reporting security vulnerabilities. He recently disclosed a vulnerable back-end database at Blind, an anonymous social networking site popular among Silicon Valley employees — and found a server leaking a rolling list of user passwords for scientific journal giant Elsevier. Samsung’s data leak, he said, was his biggest find to date.
According to Samsung’s knowledge, the exposed files have not been tampered with.