Samsung spilled SmartThings app source code and secret keys

Samsung spilled SmartThings app source code and secret keys

8:16am, 8th May, 2019
A development lab used by Samsung engineers was leaking highly sensitive source code, credentials and secret keys for several internal projects — including its platform, a security researcher found. The electronics giant left dozens of internal coding projects on a instance hosted on a Samsung-owned domain, Vandev Lab. The instance, used by staff to share and contribute code to various Samsung apps, services and projects, was spilling data because the projects were set to “public” and not properly protected with a password, allowing anyone to look inside at each project, access, and download the source code. , a security researcher at Dubai-based cybersecurity firm SpiderSilk who discovered the exposed files, said one project contained credentials that allowed access to the entire AWS account that was being used, including over a hundred S3 storage buckets that contained logs and analytics data. Many of the folders, he said, contained logs and analytics data for Samsung’s SmartThings and Bixby services, but also several employees’ exposed stored in plaintext, which allowed him to gain additional access from 42 public projects to 135 projects, including many private projects. Samsung told him some of the files were for testing but Hussein challenged the claim, saying source code found in the GitLab repository contained the same code as the app, published in Google Play on April 10. The app, which has since been updated, has to date. “I had the private token of a user who had full access to all 135 projects on that GitLab,” he said, which could have allowed him to make code changes using a staffer’s own account. Hussein shared several screenshots and a video of his findings for TechCrunch to examine and verify. The exposed GitLab instance also contained private certificates for Samsung’s SmartThings’ iOS and Android apps. Hussein also found several internal documents and slideshows among the exposed files. “The real threat lies in the possibility of someone acquiring this level of access to the application source code, and injecting it with malicious code without the company knowing,” he said. Through exposed private keys and tokens, Hussein documented a vast amount of access that if obtained by a malicious actor could have been “disastrous,” he said. A screenshot of the exposed AWS credentials, allowing access to buckets with GitLab private tokens. (Image: supplied). Hussein, a white-hat hacker and data breach discoverer, reported the findings to Samsung on April 10. In the days following, Samsung began revoking the AWS credentials but it’s not known if the remaining secret keys and certificates were revoked. Samsung still hasn’t closed the case on Hussein’s vulnerability report, close to a month after he first disclosed the issue. “Recently, an individual security researcher reported a vulnerability through our security rewards program regarding one of our testing platforms,” Samsung spokesperson Zach Dugan told TechCrunch when reached prior to publication. “We quickly revoked all keys and certificates for the reported testing platform and while we have yet to find evidence that any external access occurred, we are currently investigating this further.” Hussein said Samsung took until April 30 to revoke the GitLab private keys. Samsung also declined to answer specific questions we had and provided no evidence that the Samsung-owned development environment was for testing. Hussein is no stranger to reporting security vulnerabilities. He recently disclosed , an anonymous social networking site popular among Silicon Valley employees — and found a server for scientific journal giant Elsevier. Samsung’s data leak, he said, was his biggest find to date. “I haven’t seen a company this big handle their infrastructure using weird practices like that,” he said. Read more:
GeekWire Calendar Picks: Black Girls Code workshops, Pluto’s planetary debate, FFA’s Champion Awards, and more

GeekWire Calendar Picks: Black Girls Code workshops, Pluto’s planetary debate, FFA’s Champion Awards, and more

5:32pm, 29th March, 2019
(Photo via Black Girls CODE) — , a nonprofit dedicated to teaching girls of color ages 7-17 about computer programming and technology, is holding on Saturday, March 30 in advance of the opening of a Seattle chapter in April. The workshops, scheduled from 9 a.m. to noon, will be held at the following locations: Sammamish High School, 100 140th Ave. SE, Bellevue, Wash.; Seattle Central College, 1701 Broadway, Seattle; South Shore Pre K-8, 4800 South Henderson, Seattle. The events are free but require advance registration (via the Black Girls CODE homepage). The Seattle chapter, the organization’s 15th, was made possible . — When most of us were in school, we were probably told that nine planets existed in the solar system. Now there are eight. Poor Pluto lost its planetary designation in 2006 when astronomers decided it didn’t fit the criteria as the other eight “true” planets. But the debate has started again. You can get the full scoop on Pluto at the Evergrey’s presentation at the Pacific Science Center on April 11. — Women’s History Month may be drawing to a close, but the Female Founders Alliance is continuing the celebration with their annual on April 4. The Champion Awards were created to honor individuals and companies in the Pacific Northwest that are making a notable difference in helping women succeed in the workplace, regardless of their field or industry. The Champion Awards pick winners in five different categories, including advocates, investors and role models. Here are more highlights from the GeekWire Calendar: : An event honoring people and companies who are impacting change in the city, hosted by The Evergrey in Seattle; 6:30 to 9:30 p.m. Thursday, April 4. : An event featuring panels and guest speakers about the art of networking at The Columbia Tower Club in Seattle; 7 to 9 p.m. Thursday, April 4. : A talk about how startups can effectively use social media to reach their goals at CoMotion Labs at the University of Washington in Seattle; 12 to 1 p.m. Friday, April 5. : A talk about the opportunities and how to get started in the public sector at Code Fellows in Seattle; 12:15 to 1 p.m. Friday, April 5. : An event featuring panels and discussions with the goal of linking founders with other founders and investors at WeWork Labs in Portland; 2 p.m. to 7:30 p.m. Tuesday, April 9. : An event focusing on the basics of blockchain at the Flatiron School in Seattle; 6 to 9 p.m. Tuesday, April 9. : A job fair specifically for startups to meet some of the students who might make for good additions to teams, at the University of Washington Intellectual House in Seattle; 4 to 7 p.m. Wednesday, April 10. For more upcoming events, check out the , where you can find meetups, conferences, startup events, and geeky gatherings in the Pacific Northwest and beyond. Organizing an event? .