Source code and private keys for Samsung’s SmartThings app were left on GitLab
Technology has advanced to such a point where smart homes, formerly something that seemed like a work of fiction, are something that has become quite common to see. Everything is connected to the internet, and you can easily control things such as lights and home items from your phone on a whim. Nowadays, it’s something that it’s not even that expensive to set up in your own home. And one of the most widely used smart home solutions is Samsung’s SmartThings platform. SmartThings-compatible products can be controlled from the SmartThings app on your device, but it might not be that safe after it was discovered that the source code for the app was left on a GitLab server—private keys included.
The breach was uncovered by Mossab Hussein, a Dubai-based security researcher working for cybersecurity firm SpiderSilk. He managed to find several Samsung-related projects on a GitLab instance hosted in one of Samsung’s servers, all of which were set to public. From there, he found credentials and private GitLab tokens which allowed him to access several other storage buckets and projects, where he found things such as the entire source code for the SmartThings app as well as the private keys for the app.
This allowed him to do things such as making code changes using a Samsung employee’s own account, injecting malicious code into the app, or publish the code online for anyone to see. The app, which has currently over 100 million installs on Google Play and comes pre-installed on a number of Samsung devices, has since been updated. If this discovery was made by a malicious actor or hacker, then it would’ve had disastrous consequences, according to Hussein.
The vulnerability has already been addressed by Samsung, as Hussein reached out to them before publicly disclosing it online—the GitLab private keys have been revoked and Samsung is currently on the lookout to find evidence of any external access occurring. As of now, though, things seem to be safe, but if you’re a SmartThings user, you should definitely be careful.