09 May 19, 20:40
Quote:A security researcher at a Dubai-based cybersecurity firm SpiderSilk discovered a development lab used by Samsung engineers was leaking highly sensitive source code, credentials and secret keys for several internal projects — including its SmartThings platform.
The researcher, Mossab Hussein, found Samsung engineers had left dozens of internal coding projects on a GitLab instance hosted on a Samsung-owned domain.
The platform was used by staff to share and contribute code to various Samsung apps, services and projects and contained logs and analytics data for Samsung’s SmartThings and Bixby services, but also several employees’ exposed private GitLab tokens stored in plaintext, which allowed the researcher to gain additional access from as many as 135 projects, including many private projects.
Hussein reported the issue to Samsung on April 10, 2019, and said Samsung took until April 30 to revoke the GitLab private keys although it did immediately begin revoking the AWS credentials. But it’s not known if the remaining secret keys and certificates were revoked, the researcher told TechCrunch.
SOURCE: https://www.scmagazine.com/home/security...cret-keys/
![[-]](https://www.geeks.fyi/images/collapse.png)
