I don't mean to downplay the severity of this, and I could be missing something, but I fail to see how this is a new vulnerability that TrustLook has "discovered". We've seen countless stories on HN (unless I'm wildly misremembering) of credentials being leaked via client-side applications, including AWS credentials. Haven't developers been getting this wrong since the dawn of client-server authentication?
This does seem like a PR department writing rather then security researcher. Calling out AWS credentials seems to be particularly trolling, they just happen to be the secrets that were easiest to grep for I guess.
Indeed. I took a quick look at the "front page" of their blog and many of the post titles are what you would expect to see on press releases.
According to their "About Us" page, however, they are "a global leader in next-generation mobile security solutions." That's pretty remarkable to me considering the company was "founded in 2013" -- not bad for a year or so's work.
But I suppose that's easy to do when your "team consists of security industry veterans" (that shall go unnamed, it seems).
Maybe next week they'll reveal how my home is vulnerable to being broken into by a burglar armed with a battering ram.
