Latest in Gear

Image credit: JUNG YEON-JE via Getty Images

Samsung leak exposed source code, passwords and employee data

An independent researcher discovered dozens of files set to public.
234 Shares
Share
Tweet
Share
Save

Sponsored Links

JUNG YEON-JE via Getty Images

Samsung was reportedly leaking sensitive source code, credentials and secret keys for several internal projects. According to TechCrunch, independent security researcher Mossab Hussein discovered dozens of exposed files in a GitLab used by Samsung engineers and hosted on a company-owned domain. The projects were reportedly set to "public" and not protected with a password.

The exposed files contained source code for projects like Samsung's SmartThings platform and Bixby services. They also contained credentials that provided access to the Amazon Web Service account that was being used, as well as several employees' GitLab tokens, which provided further access.

A Samsung spokesperson told TechCrunch that the company "quickly revoked" all keys and certificates for the platform, reportedly used for testing. But Hussein said he alerted Samsung on April 10, and the company didn't revoke the GitLab keys until April 30. "The real threat lies in the possibility of someone acquiring this level of access to the application source code, and injecting it with malicious code without the company knowing," he told TechCrunch.

To Samsung's knowledge, the exposed files weren't tampered with. But for any company, especially one of this scale, a leak like this could be disastrous. It should also be preventable.

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.
Comment
Comments
Share
234 Shares
Share
Tweet
Share
Save

Popular on Engadget

Engadget’s guide to Home Entertainment

Engadget’s guide to Home Entertainment

View
The Morning After: Google finally reveals the Pixel 4

The Morning After: Google finally reveals the Pixel 4

View
Vatican launches $110 'click to pray' wearable rosary

Vatican launches $110 'click to pray' wearable rosary

View
The (Day)dream is over: Phone-based VR is well and truly dead

The (Day)dream is over: Phone-based VR is well and truly dead

View
There's now a Harry Potter subscription service

There's now a Harry Potter subscription service

View

From around the web

Page 1Page 1ear iconeye iconFill 23text filevr