A development lab used by Samsung engineers has been exposing source code, credentials and secret keys for several internal Samsung projects, a security researcher has found.
Mossab Hussein, a researcher at cybersecurity firm, SpiderSilk, said one project contained credentials that allowed access to the entire AWS account that was being used, including over a hundred S3 storage buckets that contained logs and analytics data.
The internal coding projects were left on a GitLab instance hosted on Vandev Lab, a Samsung-owned domain. The instance, used by staff to share code to various Samsung apps, services and projects, was set to ‘public’ and not password protected, so anyone could access and download the source code.
Many of the folders, allegedly contained logs and analytics data for Samsung’s SmartThings and Bixby services, as well as private GitLab tokens stored in plaintext, which allowed additional access to many private projects.
Speaking to TechCrunch, Hussein said: “I had the private token of a user who had full access to all 135 projects on that GitLab. The real threat lies in the possibility of someone acquiring this level of access to the application source code, and injecting it with malicious code without the company knowing.”
Ilia Kolochenko, founder and CEO of web security company ImmuniWeb, commented: “Unfortunately, today many other large companies unwittingly leak their source codes and other sensitive data via public code repositories, social networks, Pastebin and many other communities on the web. Often, the source code contains hardcoded credentials, API keys, detailed information about internal systems like CRM or ERP, let alone intellectual property owned by the organisations.
“Outsourcing of software development to third parties tremendously exacerbates the problem. Remote developers may recklessly share, send and store your source code without any protection or care. For a while already, cybercriminals glean leaked data from public websites, frequently securing a windfall. Ultimately, growing investments into cybersecurity are ruined by insecure software development processes.
“Organisations should conduct a holistic risk management assessment of their suppliers, foremost on software development companies. Comprehensive and measurable policies and procedures should be enacted and monitored on a continuous basis. Otherwise, you just leave the keys to your digital realm in the front door.”