пятница, 10 мая 2019 г.

"Белый хакер" обнаружил уязвимость в системе доступа к IT-разработкам Samsung


Подразделение разработок Samsung могло допустить утечку важных данных — логинов и паролей, исходного кода и секретных ключей для нескольких важных проектов. Об этом рассказал специалист по кибербезопасности Моссаб Хуссейн из базирующейся в Дубае компании SpiderSilk.
В результате утечки, к проектам корпорации могли получить доступ любые сторонние пользователи, включая «публичный» доступ к критически важным файлам по разработкам на GitLab, которые не были защищены паролями.
В одном из проектов оказались логины и пароли к учётной записи Samsung на Amazon Web Services (AWS). Там большинство видимых публике файлов касались проектов по голосовому помощнику Bixby и приложения управления умными устройствами SmartThings. Всего публичный доступ оказался открыт для 135 проектов южнокорейского техногиганта.
В Samsung подтвердили найденную уязвимость и уже приняли меры для её устранения.
Насколько был серьёзен этот инцидент, пока неизвестно, так как разработчикам ПО понадобится некоторое время, чтобы понять, имело ли место вмешательство в архитектуру кодов, к которым потенциальные злоумышленники могли иметь доступ.
В связи с этим делом портал TechCrunch разразился гневной статьёй относительно политики безопасности при разработке IT-проектов Samsung. Автор статьи обильно цитировал Хуссейна, который выражал недоумение относительно столь вольного управления ифраструктурой корпорации.
В то же время независимые специалисты по кибербезопасности отмечают, что многие "белые хакеры" намеренно преувеличивают остроту проблемы, "чтобы набить себе цену" и потребовать от оповещённых ими компаний как можно более крупную сумму оплаты за обнаружение "прорех". Тем не менее пренебрегать любыми сообщениями о возможных уязвимостях недопустимо, поэтому Samsung следует выработать более строгие правила безопасности при обмене данными как между собственными подразделениями, так и со сторонними разработчиками.

Samsung spilled SmartThings app source code and secret keys

A development lab used by Samsung engineers was leaking highly sensitive source code, credentials and secret keys for several internal projects — including its SmartThings  platform, a security researcher found.
The electronics giant left dozens of internal coding projects on a GitLab instance hosted on a Samsung-owned domain, Vandev Lab. The instance, used by staff to share and contribute code to various Samsung apps, services and projects, was spilling data because the projects were set to “public” and not properly protected with a password, allowing anyone to look inside at each project, access and download the source code.
Mossab Hussein, a security researcher at Dubai-based cybersecurity firm SpiderSilk who discovered the exposed files, said one project contained credentials that allowed access to the entire AWS account that was being used, including more than 100 S3 storage buckets that contained logs and analytics data.
Many of the folders, he said, contained logs and analytics data for Samsung’s SmartThings and Bixby services, but also several employees’ exposed private GitLab tokens stored in plaintext, which allowed him to gain additional access from 42 public projects to 135 projects, including many private projects.
Samsung told him some of the files were for testing but Hussein challenged the claim, saying source code found in the GitLab repository contained the same code as the Android  app, published in Google Play on April 10.
The app, which has since been updated, has more than 100 million installs to date.
“I had the private token of a user who had full access to all 135 projects on that GitLab,” he said, which could have allowed him to make code changes using a staffer’s own account.
Hussein shared several screenshots and a video of his findings for TechCrunch to examine and verify.
The exposed GitLab instance also contained private certificates for Samsung’s SmartThings’ iOS and Android apps.
Hussein also found several internal documents and slideshows among the exposed files.
“The real threat lies in the possibility of someone acquiring this level of access to the application source code, and injecting it with malicious code without the company knowing,” he said.
Through exposed private keys and tokens, Hussein documented a vast amount of access that if obtained by a malicious actor could have been “disastrous,” he said.
Hussein, a white-hat hacker and data breach discoverer, reported the findings to Samsung on April 10. In the days following, Samsung began revoking the AWS credentials, but it’s not known if the remaining secret keys and certificates were revoked.
Samsung still hasn’t closed the case on Hussein’s vulnerability report, close to a month after he first disclosed the issue.
“Recently, an individual security researcher reported a vulnerability through our security rewards program regarding one of our testing platforms,” Samsung spokesperson Zach Dugan told TechCrunch when reached prior to publication. “We quickly revoked all keys and certificates for the reported testing platform and while we have yet to find evidence that any external access occurred, we are currently investigating this further.”
Hussein said Samsung took until April 30 to revoke the GitLab private keys. Samsung also declined to answer specific questions we had and provided no evidence that the Samsung-owned development environment was for testing.
Hussein is no stranger to reporting security vulnerabilities. He recently disclosed a vulnerable back-end database at Blind, an anonymous social networking site popular among Silicon Valley employees — and found a server leaking a rolling list of user passwords for scientific journal giant Elsevier.
Samsung’s data leak, he said, was his biggest find to date.
“I haven’t seen a company this big handle their infrastructure using weird practices like that,” he said.
Ilia Kolochenko, founder of web security vendor ImmuniWeb, says that many large enterprises unwittingly leak source code through not only public code repositories but also social networks, Pastebin and other communities on the web. "Often, the source code contains hardcoded credentials and API keys," Kolochenko says, "let alone intellectual property owned by the organizations." He blames the outsourcing of software development to third parties for exacerbating the problem. "Remote developers may recklessly share, send and store your source code without any protection or care," Kolochenko warns, "cybercriminals glean leaked data from public websites, frequently securing a windfall."