According to a security researcher, Mossab Hussein, Samsung was leaking sensitive data, such as credentials, source codes and secret keys, for various important projects.
Unknowingly, the company had given "public" access to critical files in your development lab on GitLab, which were not protected with a password.
The exposed data contained credentials for the Amazon web services account that was used for the development of Samsung services. These additionally reveal 100 S3 storage compartments attached to the same AWS account containing log and analytics data.
Employee GitLab access tokens are also part of the sensitive data that was discovered. The security researcher gained access to various public and private projects with the access tokens, increasing the number of exposed projects from 43 to 135. “I had the private token of a user who had full access to all 135 projects on that GitLab "Says Mossab Hussein.
Most of the publicly viewable files contained data related to Samsung's SmartThings and Bixby services. It could have been "disastrous" if some bad actor manipulated the code.
Samsung hosts multiple projects at Vandev Lab, a company's GitLab repository for development purposes. The same repository contains projects like Samsung's SmartThings platform and Bixby services.
However, Samsung has now revoked access to all keys and credentials on the test platform. The company is investigating to find evidence of any external access after this event.
After all this was discovered, the firm will apply stronger security measures in all its laboratories, clearly, as well as in other sectors open to different audiences, with the intention that something similar does not happen again in the future.
(Source)
