Samsung private GitLab tokens exposed including source code, credentials, secret keys

News by Robert Abel

A development lab used by Samsung engineers was leaking highly sensitive source code, credentials and secret keys for several internal projects -- including its SmartThings platform.

A security researcher at a Dubai-based cyber-security firm SpiderSilk discovered a development lab used by Samsung engineers was leaking highly sensitive source code, credentials and secret keys for several internal projects — including its SmartThings platform.

The researcher, Mossab Hussein, found Samsung engineers had left dozens of internal coding projects on a GitLab instance hosted on a Samsung-owned domain.

The platform was used by staff to share and contribute code to various Samsung apps, services and projects and contained logs and analytics data for Samsung’s SmartThings and Bixby services, but also several employees’ exposed private GitLab tokens stored in plaintext, which allowed the researcher to gain additional access from as many as 135 projects, including many private projects.

Hussein reported the issue to Samsung on 10 April, 2019, and said Samsung took until 30 April to revoke the GitLab private keys although it did immediately begin revoking the AWS credentials. But it’s not known if the remaining secret keys and certificates were revoked, the researcher told TechCrunch.

"I had the private token of a user who had full access to all 135 projects on that GitLab," he said, which could have allowed him to make code changes using a staffer’s own account and one project contained credentials that allowed access to the entire AWS account that was being used, including more than 100 S3 storage buckets that contained logs and analytics data.

The real threat however, came from the threat of a malicious attacker being able to inject malicious code into one of the projects without Samsung knowing.

Samsung told Hussein some of the files were for testing but Hussein challenged the claim, saying source code found in the GitLab repository contained the same code as the Android app, published in Google Play on April 10, according to the publication. The app has since been updated.

"Recently, an individual security researcher reported a vulnerability through our security rewards programme regarding one of our testing platforms," a Samsung spokesperson told SC Media. "We quickly revoked all keys and certificates for the reported testing platform and while we have yet to find evidence that any external access occurred, we are currently investigating this further."

Ilia Kolochenko, founder and CEO of ImmuniWeb, told SC Media the finding wasn’t surprising.

"Unfortunately, today many other large companies unwittingly leak their source codes and other sensitive data via public code repositories, social networks, Pastebin and many other communities on the web," Kolochenko said. "Often, the source code contains hardcoded credentials, API keys, detailed information about internal systems like CRM or ERP, let alone intellectual property owned by the organizations. Outsourcing of software development to third parties tremendously exacerbates the problem."

In addition remote developers may recklessly share, send and store your source code without any protection or care. These actions make it easy for cybercriminals to simply glean information leaked from public websites ultimately, sabotaging growing investments into cyber-security by using insecure software development processes.

This article was originally published on SC Media US.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews

Interview - Everyone has an Achilles heel: The new security paradigm

How can we defend networks now that the perimeter has all but disappeared?
Brought to you in partnership with ExtraHop