Source code from dozens of companies leaked online

0 leak

Source code from exposed repositories of dozens of companies across various fields of activity (tech, finance, retail, food, eCommerce, manufacturing) is publicly available as a result of misconfigurations in their infrastructure.

A public repository of leaked code includes big names like Microsoft, Adobe, Lenovo, AMD, Qualcomm, Motorola, Hisilicon (owned by Huawei), Mediatek, GE Appliances, Nintendo, Roblox, Disney, Johnson Controls; and the list keeps growing.

Operation ‘Confidential & Proprietary’

The leaks have been collected by Tillie Kottmann, a developer and reverse engineer, from various sources and from their own hunting for misconfigured devops tools that offer access to source code.

A large number of these leaks, which go by the name “exconfidential” or the more tongue-in-cheek label “Confidential & Proprietary,” are available in a public repository on GitLab

According to Bank Security, a researcher focused on banking threats and fraud, code from more than 50 companies is published in the repository. Not all folders are populated, though, but the researcher says that credentials are present in some cases.

BankSecurity Src Leak creds

Kottmann’s server shows code from fintech companies (Fiserv, Buczy Payments, Mercury Trade Finance Solutions), banks (Banca Nazionale del Lavoro), developers of identity and access management (Pirean Access: One) and games.

Kottmann told BleepingComputer that they find hardcoded credentials in the easily-accessible code repositories, which they try to remove as best as they can, to prevent direct harm and avoid contributing in any way to a larger breach.

“I try to do my best to prevent any major things resulting directly from my releases,” Kottmann told BleepingComputer

The developer admitted that they don’t always contact the affected companies before releasing the code, yet they make an effort to minimize the negative impact resulting from publishing.

Other people are involved in this project, contributing directly or indirectly with leaks or helping Kottmann better understand the nature of their finding when this is not clear to them.

Takedown compliance

Kottmann also says that they comply with takedown requests and gladly provide information that would strengthen the security of a company’s infrastructure. One leak from Daimler AG corporation behind the Mercedes-Benz brand is no longer present in the repository. Another empty folder has Lenovo in its name.

However, judging by the number of DMCA notices received (estimated at up to seven) and direct contact from legal or other representatives, many companies may not be aware of the leaks.

Some businesses that take notice of their code becoming public don’t bother to remove it. In at least one instance, several developers at one company just wanted to know how Kottmann got the code and did not ask to take it down, wishing “a lot of fun.”

TillieKottmann Src Leaks

More hunting

Reviewing some of the code leaked on Kottmann’s GitLab server revealed that some of the projects have been made public by their original developer or had been last updated a long time ago.

Nevertheless, the developer told us that there are more companies with misconfigured devops tools exposing source code. Furthermore, they are exploring servers running SonarQube, an open-source platform for automated code auditing and static analysis to uncover bugs and security vulnerabilities.

Kottmann believes there are thousands of companies that expose proprietary code by failing to properly secure SonarQube installations.

In a Telegram channel, the developer offers details about leaks from others, including the Nintendo leak dubbed Gigaleak containing source code, development repos (lots of graphic prototypes) of multiple classic games (Super Mario World, a canceled Zelda 2 remake, Super Mario 64, The Legend of Zelda: Ocarina of Time).

It is unclear how much of the code on Kottmann’s server is proprietary and should be kept private. BleepingComputer has reached out to a number of companies listed in the collection to learn to what extent they are affected by the leaks.

Source link

Recent articles

Ohio Governor Says His Flawed Virus Test Shouldn’t Undercut New, Rapid Methods

Gov. Mike DeWine of Ohio, who last week tested positive for the coronavirus, then negative and then negative again, said on CNN on...

Egypt extends detention of Al Jazeera journalist Mahmoud Hussein | News

Egyptian authorities have extended the detention of Al Jazeera journalist Mahmoud Hussein by another 45 days. The extension on Sunday came more than 1,300...

Created with Blender 2.8: ‘Take on me’ cover: Arrangement for Flute orchestras

PiDi writes: 'Take on me' cover: Arrangement for Flute orchestras (Cover) Similar to the original video, it looks like a comic book. All image effects were...

Looks Like AT&T Cancelled Plans for WB Interactive Sale

Following months of reports about its sale, Warner Bros. Interactive Entertainment seems to be resting safely with AT&T for now, if comments by...

Leave a reply

Please enter your comment!
Please enter your name here