Story image

Samsung left Bixby & SmartThings code wide open to the public

10 May 2019

If you’re someone who likes to use apps and platforms with some level of confidence that they’re secure, you may want to take another look at how much you trust big brands like Samsung.

Samsung has hopefully learnt a powerful lesson about making sure it secures applications and platforms this week, after one security researcher found a stash of information, code, keys and other things relating to some of Samsung’s biggest projects.

SpiderSilk security research Mossab Hossein found a GitLab page for Samsung’s SmartThings and Bixby – both of which are major smart assistant and smart home platforms. That’s not a great move for a massive tech manufacturer that probably relies heavily on keeping its intellectual property in its own hands.

According to Hussein, anyone could go through the information that included keys, credentials, and keen snoopers could even download the source code.

He also told TechCrunch that he obtained a private user’s token that provided access to every single Samsung project on GitLab – all 135 of them. 

While it was only a responsible security researcher who managed to find all of that information, it is entirely possible that a cyber attacker could have used it to their advantage too, although Samsung believes that probably wasn’t the case. Samsung has reportedly revoked Amazon Web Service credentials, it still seems like the company is investigating the problem.

Cybersecurity company ImmuniWeb CEO Ilia Kolochenko had this to say about it:

''Unfortunately, today many other large companies unwittingly leak their source codes and other sensitive data via public code repositories, social networks, Pastebin and many other communities on the web. Often, the source code contains hardcoded credentials, API keys, detailed information about internal systems like CRM or ERP, let alone intellectual property owned by the organisations.”

“Outsourcing of software development to third parties tremendously exacerbates the problem. Remote developers may recklessly share, send and store your source code without any protection or care. For a while already, cybercriminals glean leaked data from public websites, frequently securing a windfall. Ultimately, growing investments into cybersecurity are ruined by insecure software development processes.”

Container survey shows adoption accelerating while security concerns remain top of mind
The report features insights from over 500 IT professionals.
Google 'will do better' after G Suite passwords exposed since 2005
Fourteen years is a long time for sensitive information like usernames and passwords to be sitting ducks, unencrypted and at risk of theft and corruption.
Hackbusters! Reviewing 90 days of cybersecurity incident response cases
While there are occasionally very advanced new threats, these are massively outnumbered by common-or-garden email fraud, ransomware attacks and well-worn old exploits.
SEGA turns to Palo Alto Networks for cybersecurity protection
When one of the world’s largest video game pioneers wanted to strengthen its IT defences against cyber threats, it started with firewalls and real-time threat intelligence from Palo Alto Networks.
Forrester names Trend Micro Leader in email security
TrendMicro earned the highest score for technology leadership, deployment options and cloud integration.
LogRhythm releases cloud-based SIEM solution
LogRhythm Cloud provides the same feature set and user experience as its on-prem experience.
One Identity named Leader in PAM and IAM by KuppingerCole
KuppingerCole lead analyst Anmol Singh evaluated the strengths and weaknesses of 20 solution providers in the PAM market for the report.
Healthcare environments difficult to secure - Forescout
The convergence of IT, Internet of Things (IoT) and operational technology (OT) makes it more difficult for the healthcare industry to manage a wide array of hard-to-control network security risks.