Story image

Samsung left Bixby & SmartThings code wide open to the public

10 May 2019

If you’re someone who likes to use apps and platforms with some level of confidence that they’re secure, you may want to take another look at how much you trust big brands like Samsung.

Samsung has hopefully learnt a powerful lesson about making sure it secures applications and platforms this week, after one security researcher found a stash of information, code, keys and other things relating to some of Samsung’s biggest projects.

SpiderSilk security research Mossab Hossein found a GitLab page for Samsung’s SmartThings and Bixby – both of which are major smart assistant and smart home platforms. That’s not a great move for a massive tech manufacturer that probably relies heavily on keeping its intellectual property in its own hands.

According to Hussein, anyone could go through the information that included keys, credentials, and keen snoopers could even download the source code.

He also told TechCrunch that he obtained a private user’s token that provided access to every single Samsung project on GitLab – all 135 of them. 

While it was only a responsible security researcher who managed to find all of that information, it is entirely possible that a cyber attacker could have used it to their advantage too, although Samsung believes that probably wasn’t the case. Samsung has reportedly revoked Amazon Web Service credentials, it still seems like the company is investigating the problem.

Cybersecurity company ImmuniWeb CEO Ilia Kolochenko had this to say about it:

''Unfortunately, today many other large companies unwittingly leak their source codes and other sensitive data via public code repositories, social networks, Pastebin and many other communities on the web. Often, the source code contains hardcoded credentials, API keys, detailed information about internal systems like CRM or ERP, let alone intellectual property owned by the organisations.”

“Outsourcing of software development to third parties tremendously exacerbates the problem. Remote developers may recklessly share, send and store your source code without any protection or care. For a while already, cybercriminals glean leaked data from public websites, frequently securing a windfall. Ultimately, growing investments into cybersecurity are ruined by insecure software development processes.”

What the future of fibre looks like in NZ
The Commerce Commission has released its emerging views paper on the rules, requirements and processes which will underpin the new regulatory regime for New Zealand’s fibre networks.
Gen Z confidence in the economy is on the decline
Businesses need to work hard to improve their reputations.
Why NZ businesses have less than two years to adopt digital before disruption hits
Research found that digital disruption is already impacting two-thirds of New Zealand organisations.
Infratil seeks clearance to acquire up to 50% stake in Vodafone NZ
The commission will give clearance to a proposed merger if they are satisfied that the merger is unlikely to have the effect of substantially lessening competition in a market.
Hands-on review: MiniTool Power Data Recovery Software
I came across a wee gem of advice when researching the world of data recovery. As soon as you get that sinking feeling and realise you’ve lost a file, stop using your computer.
Deepfakes the 'next wave of concern' - but can law really stomp it out?
Enforcing the existing law will be difficult enough, and it is not clear that any new law would be able to do better. Overseas attempts to draft law for deepfakes have been seriously criticised.
Acquia delivers open source framework for contextual commerce
The framework connects the Drupal open source web content management system with e-commerce platforms from Acquia partners.
You only get one chance to make a first impression
Regardless of where you come from one thing is for certain, businesses only get one chance to make a first impression.