SmartThings App source code and keys leaked (May 2019 article)

TechCrunch released this article. Not sure if it has been posted before.



one project contained credentials that allowed access to the entire AWS account that was being used, including over a hundred S3 storage buckets that contained logs and analytics data.

Hussein said Samsung took until April 30 to revoke the GitLab private keys. Samsung also declined to answer specific questions we had and provided no evidence that the Samsung-owned development environment was for testing.
Hussein is no stranger to reporting security vulnerabilities. He recently disclosed a vulnerable back-end database at Blind, an anonymous social networking site popular among Silicon Valley employees — and found a server leaking a rolling list of user passwords for scientific journal giant Elsevier.
Samsung’s data leak, he said, was his biggest find to date.
“I haven’t seen a company this big handle their infrastructure using weird practices like that,” he said.

This is very worrisome to me! I installed a device called FING on my network and it warns of intrusion, but I don’t think this type of fear.

Yeah 20 days with full access to all or most of SmartThings, he must have opened a ticket with support. I bet it took 1 hr to fix it after support got it to the right person :slight_smile: .


another reason to update only rarely, after long marination

Update rarely? Wouldn’t you want to update frequently so you got security patches in case some malicious code was inserted?