Samsung has accidentally exposed sensitive source code, secret keys, and credentials for a number of its apps, TechCrunch reports.
The company hosted dozens of internal coding projects in a GitLab instance on its Vandev Lab domain, which was used by staff to collaborate on the development of its applications and services.
SpiderSilk security researcher Mossab Hussein discovered that these files were set to public and not protected with a password, allowing anybody to inspect and download the source code.
According to the report, one project contained credentials which allowed access to the AWS account used for its operations, which in turn exposed a wealth of logs an analytics data.
Sensitive code for projects including SmartThings and Bixby were exposed in the leak, along with the private GitLab tokens for several employees stored in plaintext.
“Recently, an individual security researcher reported a vulnerability through our security rewards program regarding one of our testing platforms,” Samsung told TechCrunch.
“We quickly revoked all keys and certificates for the reported testing platform and while we have yet to find evidence that any external access occurred, we are currently investigating this further,” the company said.