Connect with us

Android

Samsung spilled SmartThings app source code and secret keys

Judhajeet Das

Published

on

A development lab used by Samsung engineers was leaking highly sensitive source code, credentials and secret keys for several internal projects — including its SmartThings platform, a security researcher found.

The electronics giant left dozens of internal coding projects on a GitLab instance hosted on a Samsung-owned domain, Vandev Lab. The instance, used by staff to share and contribute code to various Samsung apps, services and projects, was spilling data because the projects were set to “public” and not properly protected with a password, allowing anyone to look inside at each project, access, and download the source code.

Mossab Hussein, a security researcher at Dubai-based cybersecurity firm SpiderSilk who discovered the exposed files, said one project contained credentials that allowed access to the entire AWS account that was being used, including over a hundred S3 storage buckets that contained logs and analytics data.

Many of the folders, he said, contained logs and analytics data for Samsung’s SmartThings and Bixby services, but also several employees’ exposed private GitLab tokens stored in plaintext, which allowed him to gain additional access from 42 public projects to 135 projects, including many private projects.

Samsung told him some of the files were for testing but Hussein challenged the claim, saying source code found in the GitLab repository contained the same code as the Android app, published in Google Play on April 10.

The app, which has since been updated, has more than 100 million installs to date.

“I had the private token of a user who had full access to all 135 projects on that GitLab,” he said, which could have allowed him to make code changes using a staffer’s own account.

Hussein shared several screenshots and a video of his findings for TechCrunch to examine and verify.

The exposed GitLab instance also contained private certificates for Samsung’s SmartThings’ iOS and Android apps.

Hussein also found several internal documents and slideshows among the exposed files.

“The real threat lies in the possibility of someone acquiring this level of access to the application source code, and injecting it with malicious code without the company knowing,” he said.

Through exposed private keys and tokens, Hussein documented a vast amount of access that if obtained by a malicious actor could have been “disastrous,” he said.

A screenshot of the exposed AWS credentials, allowing access to buckets with GitLab private tokens. (Image: supplied).

Hussein, a white-hat hacker and data breach discoverer, reported the findings to Samsung on April 10. In the days following, Samsung began revoking the AWS credentials but it’s not known if the remaining secret keys and certificates were revoked.

Samsung still hasn’t closed the case on Hussein’s vulnerability report, close to a month after he first disclosed the issue.

“Recently, an individual security researcher reported a vulnerability through our security rewards program regarding one of our testing platforms,” Samsung spokesperson Zach Dugan told TechCrunch when reached prior to publication. “We quickly revoked all keys and certificates for the reported testing platform and while we have yet to find evidence that any external access occurred, we are currently investigating this further.”

Hussein said Samsung took until April 30 to revoke the GitLab private keys. Samsung also declined to answer specific questions we had and provided no evidence that the Samsung-owned development environment was for testing.

Hussein is no stranger to reporting security vulnerabilities. He recently disclosed a vulnerable back-end database at Blind, an anonymous social networking site popular among Silicon Valley employees — and found a server leaking a rolling list of user passwords for scientific journal giant Elsevier.

Samsung’s data leak, he said, was his biggest find to date.

“I haven’t seen a company this big handle their infrastructure using weird practices like that,” he said.

Read more:

http://platform.twitter.com/widgets.js

Tech Passionate and Heavy Geek! Into Blogging world since 2014 and never looked back since then :) I am also a YouTube Video Producer and a Aspiring Entrepreneur. Founder, MyDroidDoes

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Android

Disney+ comes to Canada and the Netherlands on Nov. 12, will support nearly all major platforms at launch

Judhajeet Das

Published

on

Disney+ will have an international launch that begins at the same time as its rollout in the U.S., Disney revealed. The company will be launching its digital streaming service on November 12 in Canada and The Netherlands on November 12, and will be available in Australia and New Zealand the following week. The streaming service will also support virtually every device and operating system from day one.

Disney+ will be available on iOS, Apple TV, Google Chromecast, Android, Android TV, PlayStation 4, Roku and Xbox One at launch, which is pretty much an exhaustive list of everywhere someone might want to watch it, leaving aside some smaller proprietary smart TV systems. That, combined with the day-and-date global markets, should be a clear indicator that Disney wants its service to be available to as many customers as possible, as quickly as possible.

Through Apple’s iPhone, iPad and Apple TV devices, customers will be able to subscribe via in-app purchase. Disney+ will also be fully integrated with Apple’s TV app, which is getting an update in iOS 13 in hopes of becoming even more useful as a central hub for all a user’s video content. The one notable exception on the list of supported devices and platforms is Amazon’s Fire TV, which could change closer to launch depending on negotiations.

In terms of pricing, the service will run $8.99 per month or $89.99 per year in Canada, and €6.99 per month (or €69.99 per year) in the Netherlands. In Australia, it’ll be $8.99 per month or $89.99 per year, and in New Zealand, it’ll be $9.99 and $99.99 per year. All prices are in local currency.

That compares pretty well with the $6.99 per month (or $69.99 yearly) asking price in the U.S., and undercuts the Netflix pricing in those markets, too. This is just the Disney+ service on its own, however, not the combined bundle that includes ESPN Plus and Hulu for $12.99 per month, which is probably more comparable to Netflix in terms of breadth of content offering.

 

Continue Reading

Android

Huawei pushes back launch of 5G foldable, the Mate X

Judhajeet Das

Published

on

If you were desperately ripping days off of your calendar until you could get your hands on Huawei’s $2,600 5G foldable, the Mate X — which was originally slated to launch next month — it sounds like you’re going to have to wait a bit longer, per TechRadar which attended a press event at Huawei’s Shenzhen headquarters today. 

It reports being told there is no possibility of a September launch. Instead Huawei is now aiming for November. But the company would only profess itself certain its first smartphone that folds out to a (square) tablet will launch before 2020. So it seems Mate X buyers may need to wait until circa Christmas to fondle this foldable.

It’s not clear exactly why the launch is being delayed. But — speculating wildly — we imagine it’s something to do with the fact that the screen, er, folds.

We’ve reached out to Huawei for official comment on the delay.

Huawei’s Mate X date slippage suggests Samsung will still be first to market with its (previously) delayed Galaxy Fold — which was itself delayed after a bunch of review units broke (because, well, did we tell you the screen folds?).

Last we heard, the Galaxy Fold is slated for a September release — Samsung seemingly confident it’s fixed the problem of how to make a foldable phone survive actual use.

Of course survival in the wild very much remains to be seen with any of these foldable. So expect TC’s in house hardware guru, Brian Heater, to put all of these expensively hinged touchscreens through their paces.

Returning to Huawei’s Mate X, potential buyers may not be entirely reassured to learn the company appeared to dangle rather more information about a planned sequel in front of reporters at the press event.

A sequel which may or may not have even more screens, as Huawei is apparently considering putting glass on the back. Yes, glass. (The gen-one Mate X will have a steel back.) Glass panels which it says could double as touchscreens. On the back. As well as the front. We have no idea if that means the price-tag will double too.

This theoretical quad (?) screen foldable follow-up to the still unreleased Mate X might even be released as soon as next year, according to TechRadar’s reportage. Or — again speculating wildly — it might never be released. Because, frankly, it sounds mental. But that’s the wacky world of foldables for ya.

There may be method in this madness too. Because, since smartphones turned into all-screen devices — making it almost impossible to tell one touch-sensitive slab from another — plucky Android device makers are trying to find a way to put more screen on the slab so you can see more.

If they can pull that off it might be great. However sticking a hinge right through the middle of a smartphone’s primary feature and function without that simultaneously causing problems is certainly a major engineering challenge.

Continue Reading

Android

Huawei’s new OS isn’t an Android replacement… yet

Judhajeet Das

Published

on

If making an Android alternative was easy, we’d have a lot more of them. Huawei’s HarmonyOS won’t be replacing the mobile operating system for the company anytime soon, and Huawei has made it pretty clear that it would much rather go back to working with Google than go it alone.

Of course, that might not be an option.

The truth is that Huawei and Google were actually getting pretty chummy. They’d worked together plenty, and according to recent rumors, were getting ready to release a smart speaker in a partnership akin to what Google’s been doing with Lenovo in recent years. That was, of course, before Huawei was added to a U.S. “entity list” that ground those plans to a halt.

Continue Reading
Advertisement

Trending Now!