sb-eu logo
Story image

Samsung left Bixby & SmartThings code wide open to the public

10 May 2019

If you’re someone who likes to use apps and platforms with some level of confidence that they’re secure, you may want to take another look at how much you trust big brands like Samsung.

Samsung has hopefully learnt a powerful lesson about making sure it secures applications and platforms this week, after one security researcher found a stash of information, code, keys and other things relating to some of Samsung’s biggest projects.

SpiderSilk security research Mossab Hossein found a GitLab page for Samsung’s SmartThings and Bixby – both of which are major smart assistant and smart home platforms. That’s not a great move for a massive tech manufacturer that probably relies heavily on keeping its intellectual property in its own hands.

According to Hussein, anyone could go through the information that included keys, credentials, and keen snoopers could even download the source code.

He also told TechCrunch that he obtained a private user’s token that provided access to every single Samsung project on GitLab – all 135 of them. 

While it was only a responsible security researcher who managed to find all of that information, it is entirely possible that a cyber attacker could have used it to their advantage too, although Samsung believes that probably wasn’t the case. Samsung has reportedly revoked Amazon Web Service credentials, it still seems like the company is investigating the problem.

Cybersecurity company ImmuniWeb CEO Ilia Kolochenko had this to say about it:

''Unfortunately, today many other large companies unwittingly leak their source codes and other sensitive data via public code repositories, social networks, Pastebin and many other communities on the web. Often, the source code contains hardcoded credentials, API keys, detailed information about internal systems like CRM or ERP, let alone intellectual property owned by the organisations.”

“Outsourcing of software development to third parties tremendously exacerbates the problem. Remote developers may recklessly share, send and store your source code without any protection or care. For a while already, cybercriminals glean leaked data from public websites, frequently securing a windfall. Ultimately, growing investments into cybersecurity are ruined by insecure software development processes.”

Story image
Research: 61% of companies have suffered an insider attack in last 12 months
It comes as rapid migration to cloud and remote working and BYOD scenarios leave organisations increasingly vulnerable to insider attacks as a result of the upheaval caused by the COVID-19 pandemic.More
Story image
Why it’s essential to re-write IT security for the cloud era
Key components of network security architecture for the cloud era should be built from the ground up, as opposed to being bolted on to legacy solutions built for organisations functioning only on-premises or from only managed devices.More
Story image
Exabeam and Code42 partner up to launch insider threat solution
The solution will give customers a fuller picture of their environment, and will leverage automated incident response to obstruct insider threat before data loss occurs.More
Story image
Proofpoint enhances security awareness training platform
Available in Q4 2020, the platform will integrate more closely with Proofpoint’s best-in-class threat intelligence.More
Story image
Is cyber deception the latest SOC 'game changer'?
Cyber deception reduces data breach costs by more than 51% and Security Operations Centre (SOC) inefficiencies by 32%, according to a new research report by Attivo Networks and Kevin Fiscus of Deceptive Defense.More
Story image
Malware and email scams targeting employees spread rapidly in Q2
"Businesses must stay alert and should employ defense-in-depth tactics and equip themselves with multilayered security mechanisms, including high-sensor spam filters and a VPN connection, which would prevent malicious pages from opening."More