Story image

Samsung left Bixby & SmartThings code wide open to the public

10 May 2019

If you’re someone who likes to use apps and platforms with some level of confidence that they’re secure, you may want to take another look at how much you trust big brands like Samsung.

Samsung has hopefully learnt a powerful lesson about making sure it secures applications and platforms this week, after one security researcher found a stash of information, code, keys and other things relating to some of Samsung’s biggest projects.

SpiderSilk security research Mossab Hossein found a GitLab page for Samsung’s SmartThings and Bixby – both of which are major smart assistant and smart home platforms. That’s not a great move for a massive tech manufacturer that probably relies heavily on keeping its intellectual property in its own hands.

According to Hussein, anyone could go through the information that included keys, credentials, and keen snoopers could even download the source code.

He also told TechCrunch that he obtained a private user’s token that provided access to every single Samsung project on GitLab – all 135 of them. 

While it was only a responsible security researcher who managed to find all of that information, it is entirely possible that a cyber attacker could have used it to their advantage too, although Samsung believes that probably wasn’t the case. Samsung has reportedly revoked Amazon Web Service credentials, it still seems like the company is investigating the problem.

Cybersecurity company ImmuniWeb CEO Ilia Kolochenko had this to say about it:

''Unfortunately, today many other large companies unwittingly leak their source codes and other sensitive data via public code repositories, social networks, Pastebin and many other communities on the web. Often, the source code contains hardcoded credentials, API keys, detailed information about internal systems like CRM or ERP, let alone intellectual property owned by the organisations.”

“Outsourcing of software development to third parties tremendously exacerbates the problem. Remote developers may recklessly share, send and store your source code without any protection or care. For a while already, cybercriminals glean leaked data from public websites, frequently securing a windfall. Ultimately, growing investments into cybersecurity are ruined by insecure software development processes.”

Sony and Microsoft to explore strategic partnership
“Our partnership brings the power of Azure and Azure AI to Sony."
Hands-on PSVR preview: Blood & Truth
PlayStation VR fans who picked up a copy of VR Worlds with their headset will have had a taster of SIE London Studio’s Blood & Truth.
Google puts Huawei on the Android naughty list
Google has apparently suspended Huawei’s licence to use the full Android platform, according to media reports.
Govt & Canterbury Uni pour $7m into gaming research
The funding will be used to boost the University of Canterbury’s Applied Immersive Gaming Initiative, which will research and accelerate public use of immersing gaming applications.
This Feilding school has just won an international robotics award (again!)
“In typical Kiwi fashion, our students think laterally to solve challenges, build prototypes, test and retest until they have a working model. All on their own time and all with their own ideas."
New educational game to boost construction skills shortage
The game has been designed to give future business people and construction workers a taste of what it’s like to build their own company.
DJI launches Osmo Action - a handheld action cam with a difference
Hold on to your skis, snowboards, or your camera-mounted stunt cars, because DJI has launched Osmo Action camera.
Study finds NZ mobile services in good stead due to competition
The study found indicators such as pricing, coverage and choice of mobile services were trending in a positive direction for consumers.