sb-nz logo
Story image

Samsung left Bixby & SmartThings code wide open to the public

10 May 2019

If you’re someone who likes to use apps and platforms with some level of confidence that they’re secure, you may want to take another look at how much you trust big brands like Samsung.

Samsung has hopefully learnt a powerful lesson about making sure it secures applications and platforms this week, after one security researcher found a stash of information, code, keys and other things relating to some of Samsung’s biggest projects.

SpiderSilk security research Mossab Hossein found a GitLab page for Samsung’s SmartThings and Bixby – both of which are major smart assistant and smart home platforms. That’s not a great move for a massive tech manufacturer that probably relies heavily on keeping its intellectual property in its own hands.

According to Hussein, anyone could go through the information that included keys, credentials, and keen snoopers could even download the source code.

He also told TechCrunch that he obtained a private user’s token that provided access to every single Samsung project on GitLab – all 135 of them. 

While it was only a responsible security researcher who managed to find all of that information, it is entirely possible that a cyber attacker could have used it to their advantage too, although Samsung believes that probably wasn’t the case. Samsung has reportedly revoked Amazon Web Service credentials, it still seems like the company is investigating the problem.

Cybersecurity company ImmuniWeb CEO Ilia Kolochenko had this to say about it:

''Unfortunately, today many other large companies unwittingly leak their source codes and other sensitive data via public code repositories, social networks, Pastebin and many other communities on the web. Often, the source code contains hardcoded credentials, API keys, detailed information about internal systems like CRM or ERP, let alone intellectual property owned by the organisations.”

“Outsourcing of software development to third parties tremendously exacerbates the problem. Remote developers may recklessly share, send and store your source code without any protection or care. For a while already, cybercriminals glean leaked data from public websites, frequently securing a windfall. Ultimately, growing investments into cybersecurity are ruined by insecure software development processes.”

Story image
WatchGuard uncovers top cyber threat trends of Q4 2020
“The rise in sophisticated, evasive threat tactics last quarter and throughout 2020 showcases how vital it is to implement layered, end-to-end security protections."More
Story image
Enterprises prioritise customer data protection but continue to leave it exposed
“Breaches of personal information strike at the heart of the relationship between enterprises and their customers."More
Story image
Attivo Networks expands Active Directory suite for greater protection
"We see Active Directory exploitation used in the majority of ransomware, insider and advanced attacks. We are pleased to now offer our customers early and efficient solutions for preventing the misuse of Active Directory.”More
Story image
5G network security a US$9 billion dollar opportunity - report
The cloud-native nature of 5G networks will have a disruptive and positive impact on the cybersecurity industry in the next few years, with 5G network security presenting a US$9 billion enterprise market opportunity by 2025.More
Story image
Why a more secure organisation is a collective responsibility
With vast volumes of data moving to the cloud, many IT professionals are frequently challenged to protect their enterprise environment, and there is a greater focus being placed on advancing cybersecurity strategies.More
Story image
iland and Cohesity form alliance, target data protection market
"Together with Cohesity, we will deliver elegant and cutting-edge solutions that will take our joint customers’ digital transformation projects to the next level."More