Hackers have broken into the core infrastructure of LineageOS, a free and open-source operating system for smartphones, tablet computers and set-top boxes, based on the Google Android mobile platform.
In a tweet, the company admitted the breach happened on Saturday night and it was detected well within time before the attackers could do any harm.
“Around 8PM PST on May 2nd, 2020 an attacker used a common vulnerabilities and exposures (CVE) in our saltstack master to gain access to our infrastructure,” said the company.
“We are able to verify that: Signing keys are unaffected, Builds are unaffected, Source code is unaffected,” added LineageOS.
According to LineageOS developers, the hacking took place after the attacker used an unpatched vulnerability to breach its Salt installation.
Salt is an open-source framework provided by Saltstack that is usually deployed and used to manage and automate servers inside data centers, cloud server setups, or internal networks, reports ZDNet.
Cyber security firm F-Secure has already disclosed two major vulnerabilities in the Salt framework that could be used to take over Salt installations.
The two vulnerabilities which, when combined, could allow attackers to bypass login procedures and run code on Salt master servers left exposed on the internet.
There are currently more than 6,000 Salt servers left exposed online that can be exploited via this vulnerability, if left unpatched.
LineageOS extends the functionality and lifespan of mobile devices from more than 20 different manufacturers owing to its open-source community of contributors from all around the world.
LineageOS is the successor to the custom ROM CyanogenMod, from which it was forked out in December 2016.
LineageOS was officially launched on December 24, 2016, with the source code available on both GitHub and GitLab.
Since its launch, LineageOS development builds are available for 109 phone models, with over 1.7 million active installs.