14 DAY TRIAL // Samsung is now investigating a massive data leak that might have exposed the source code to outside parties for several projects, including Bixby and SmartThings.
When we head about data leaks, we usually imagine that the company in question was the victim of hackers, but it turns out that in Samsung’s case it was just negligence. As opposed to users names, emails, and passwords, the data leak involves the source code for some of their applications. And that’s probably just the tip of the iceberg.
At best, no one figured out that they could have accessed the resources and the opened door remained unopened. At worst, some people got access not only to the source code of Bixby and SmartThings but to some other projects as well.
Just some old-fashioned carelessness
The problem was discovered by Mossab Hussein, a security researcher for SpiderSilk. He noticed that a number of Samsung’s projects were actually available on GitLab. Developers often keep their work on this type of service, but they should behind password.
Some developer probably got tired of having to constantly enter the password when working with the project and got rid of it. The problem is someone from outside the company could have downloaded the projects, which contain proprietary data.
According to a report on TechCrunch, the level of access obtained by Mossab Hussein was much more consistent than a couple of projects. The researcher managed to find private GitLab tokens stored in plaintext, and that opened many more gates. In fact, one of the tokens granted him access to more than 135 projects, many of which were actually private.
There are several additional problems. Someone with some nefarious intentions could have used the access to inject malware into the apps. And then it’s the real possibility that other companies could get their hand on proprietary code.
To make matters even worse, Mossab Hussein notified Samsung of the problem on April 10th, but the company didn’t acknowledge for more than 20 days. Of course, the credentials were revoked and Samsung says that as far as they can tell, they haven’t found any evidence of tampering or access.