A development domain, Vandev Lab, hosted on GitLab instance used by Samsung engineers left exposed a highly sensitive source code, credentials and secret keys for several internal projects. These include one popular Samsung App, their SmartThings platform, Mossab Hussein, a security researcher found.
Samsung engineers left a few internal coding projects on a GitLab instance hosted on a Samsung-owned domain, Vandev Lab. The Gitlab instance, was left open because the projects were set to “public” and not properly protected with a password, allowing anyone happened upon the servers to look inside, access and even download the source code.
The same researcher said one project contained credentials that allowed access to the entire AWS account that was being used, including more than 100 S3 storage buckets that contained logs and analytics data.
“Recently, an individual security researcher reported a vulnerability through our security rewards program regarding one of our testing platforms, We quickly revoked all keys and certificates for the reported testing platform and while we have yet to find evidence that any external access occurred, we are currently investigating this further. ” Samsung spokesperson Zach Dugan told TechCrunch when reached prior to publication of this information.
No comments:
Post a Comment