More than 50 high-profile companies have made their software source code freely available online, in part as a result of improperly configured infrastructure.
The source code for the software belonging to well-known names such as Adobe, Microsoft, Lenovo, Qualcomm, AMD, Motorola, GE Appliances, Nintendo, Disney, Daimler, Roblox and many other companies was collected and placed in an online repository.
TO UPDATE: This may be related to a large Nintendo source code dump that started appearing online on June 24. Tom’s Guide was unable to confirm a link because the Nintendo data appears to have been removed from the GitLab repository of the company’s code at the heart of this story.
Easy access
According to a Bleeping Computer report, the leaked code was collected by Swiss software developer Tillie Kottman and placed under the names “exco confidential” and “confidential and proprietary” in a GitLab repository that can be accessed by anyone.
Kottman accumulated a large amount of source code by scanning third-party sources and poorly configured DevOps applications. The leaks affect a wide variety of companies, from tech giants to retailers.
Pseudonymous security researcher Bank Security estimates that more than 50 companies had their source code available in the repository.
“The source code related to more than 50 companies was leaked and published in a public repository,” Bank Security tweeted. “In some cases there are encrypted credentials.”
Bank Security published a list of affected companies in Pastebin. It is safe to see the list.
Many sectors affected
Bleeping Computer noted that within the Kottman repository, the source code for organizations in industries such as fintech, banking, gaming, and identity and access management software was also posted online.
Kottman explained to Bleeping Computer that they (Kottman identifies as non-binary) had found encrypted credentials in the repositories, but took steps to prevent them from being abused: “I try to do everything possible to avoid anything important that results directly of my releases. “
FYI, encrypted credentials have generally been removed at launch with best effort. July 26, 2020
While Kottman does not report leaks to affected companies all the time, they said they will respond to the removal notices and will ensure that this information is not used to cause further harm.
Daimler AG and Lenovo were likely to issue such requests, as the former no longer appears in the repository and the latter simply has a folder with nothing. Some companies probably don’t even know that their source code has ended up online on a public highway.
Tom’s Guide doesn’t provide a link to Kottman’s GitLab repository, as doing so would be questionable both ethically and legally, but can be found by scrolling through Kottman’s recent tweets.
Dangerous consequences
Jake Moore, an ESET security specialist, told Tom’s Guide: “Losing control of source code on the Internet is like handing over a bank’s blueprint to thieves.
“This list will be seen by cybercriminals looking for vulnerabilities and confidential information in a very short space of time.”
He recommends: “Those affected websites will immediately need to implement additional protection measures to help protect those sites from the inevitable increase in harmful traffic to avoid further data compromises. However, it seems that not all sites will have realized by now that they can rub salt into the wound if end users find out before the companies themselves. ”
- Plus: Stay anonymous and secure online with the best VPN
