Web application security course specialists have revealed that a large amount
of confidential information has been exposed to the public on an undue basis in
GitLab;
according to the experts, the compromised information includes source code,
access credentials and confidential keys for several private projects. One of
the compromised implementations has been used by Samsung personnel to work on
the code of some of the company’s projects, such as Samsung SmartThings.
After the web application security course experts’ investigation, dozens of Samsung internal coding projects were discovered in GitLab due to an erroneous security configuration (they were not password protected).
This means that anyone could access them and even download the source code of SmartThings, the platform for smarthome developed by Samsung and the private certificates for the implementation of SmartThings on iOS and Android.
According to experts, many of the exposed folders stored records and analytical data for Samsung’s SmartThings and Bixby services, as well as the private GitLab tokens of multiple employees stored in plain text.
The SmartThings application has been downloaded and installed only from Google Play more than 100 million times; The company has updated the app regularly, but specialists claim that a Samsung developer token could grant access to 130 Samsung’s projects at GitLab.
On the other hand, the company has revoked the credentials of Amazon Web Services (AWS) after the web application security course experts finished their investigation. Samsung has not yet closed the case, which means that they may not yet have completed cyber security incident recovery process.
According to the experts from the International Institute of Cyber Security (IICS), there are few companies that, by mistake, come to leak confidential material, such as source code or private keys, through platforms for software developers. For many experts, a fundamental part of this problem is the outsourced services, which can commit multiple security omissions in their routine work.
He is a well-known expert in mobile security and malware analysis. He studied Computer Science at NYU and started working as a cyber security analyst in 2003. He is actively working as an anti-malware expert. He also worked for security companies like Kaspersky Lab. His everyday job includes researching about new malware and cyber security incidents. Also he has deep level of knowledge in mobile security and mobile vulnerabilities.