The source code of the exposed deposits of dozens of companies in various fields of activity (technology, finance, retail, food, e-commerce, manufacturing) is publicly available as a result of incorrect configurations in its infrastructure.
A public repository of leaked code includes big names like Microsoft, Adobe, Lenovo, AMD, Qualcomm, Motorola, Hisilicon (owned by Huawei), Mediatek, GE Appliances, Nintendo, Roblox, Disney, Johnson Controls; and the list continues to grow.
‘Confidential and patented’ operation
The leaks have been compiled by Tillie Kottmann, a developer and reverse engineer, from various sources and from his own search for poorly configured devops tools that provide access to the source code.
A large number of these leaks, bearing the name “ex-confidential” or the more ironic label “Confidential and Patented,” are available in a public repository at GitLab.
According to Bank Security, an investigator focused on bank threats and fraud, the code of more than 50 companies is published in the repository. However, not all folders are populated, but the researcher says that credentials are present in some cases.
Kottmann’s server displays code from fintech companies (Fiserv, Buczy Payments, Mercury Trade Finance Solutions), banks (Banca Nazionale del Lavoro), identity and access management developers (Pirean Access: One) and games.
Kottmann told BleepingComputer that they find encrypted credentials in the easily accessible code repositories, which they try to remove as best they can, to avoid direct harm and avoid contributing in any way to a major breach.
“I try to do everything possible to avoid anything important that results directly from my releases,” Kottmann told BleepingComputer
The developer admitted that they do not always contact the affected companies before releasing the code, however they strive to minimize the negative impact resulting from the release.
Other people are involved in this project, contributing directly or indirectly to leaks or helping Kottmann to better understand the nature of his findings when this is not clear to them.
Disassembly compliance
Kottmann also says they comply with removal requests and are happy to provide information that would strengthen the security of a company’s infrastructure. A leak from the Daimler AG corporation behind the Mercedes-Benz brand is no longer present in the repository. Another empty folder has Lenovo in its name.
However, judging by the number of DMCA notifications received (estimated to be up to seven) and the direct contact of legal representatives or others, many companies may not be aware of the leaks.
Some companies that realize their code is made public do not bother to delete it. In at least one instance, several developers at one company just wanted to know how Kottmann got the code and didn’t ask to remove it, wishing “a lot of fun.”
More hunting
A review of some of the leaked code on Kottmann’s GitLab server revealed that some of the projects were either made public by their original developer or last updated a long time ago.
However, the developer told us that there are more companies with poorly configured devops tools that expose the source code. Additionally, they are exploring servers running SonarQube, an open source platform for automated code auditing and static analysis to uncover security bugs and vulnerabilities.
Kottmann believes that thousands of companies expose the property code by failing to properly insure SonarQube facilities.
On a Telegram channel, the developer provides details on leaks from others, including the Nintendo leak called Gigaleak that contains the source code, development repositories (many graphic prototypes) of multiple classic games (Super Mario World, a remake of Zelda 2 canceled, Super Mario 64, The Legend of Zelda: Ocarina of Time).
It is unclear how much of the code on the Kottmann server is proprietary and should be kept private. BleepingComputer has contacted several companies listed in the collection to find out to what extent they are affected by the leaks.
