No announcement yet.

Samsung spilled SmartThings app sounce code and secret keys

  • Filter
  • Time
  • Show
Clear All
new posts

    Samsung spilled SmartThings app sounce code and secret keys
    Learn About HomeSeer

    Oh, that's nice....

    "Mossab Hussein ... said one project contained credentials that allowed access to the entire AWS account that was being used, including more than 100 S3 storage buckets that contained logs and analytics data. .... Many of the folders, he said, contained logs and analytics data for Samsung’s SmartThings and Bixby services."
    I'm assuming the logs and analytics data were SmartThings Hub logs, which likely contained JSON URL strings with plain text usernames/passwords for 3rd party apps.

    “The real threat lies in the possibility of someone acquiring this level of access to the application source code, and injecting it with malicious code without the company knowing,” he said. .... Hussein, a white-hat hacker and data breach discoverer, reported the findings to Samsung on April 10. .... Hussein said Samsung took until April 30 to revoke the GitLab private keys.
    It is incredulous that a company as large as Samsung, once it was made aware of it, would leave their source code vulnerable for an additional 5 minutes, let alone 20 more days. And yet, are we really surprised when we read crap like this?