Source code from exposed repositories of dozens of companies across various fields of activity (tech, finance, retail, food, eCommerce, manufacturing) is publicly available as a result of misconfigurations in their infrastructure.
A public repository of leaked code includes big names like Microsoft, Adobe, Lenovo, AMD, Qualcomm, Motorola, Hisilicon (owned by Huawei), Mediatek, GE Appliances, Nintendo, Roblox, Disney, Johnson Controls; and the list keeps growing.
Operation ‘Confidential & Proprietary’
The leaks have been collected by Tillie Kottmann, a developer and reverse engineer, from various sources and from their own hunting for misconfigured devops tools that offer access to source code.
A large number of these leaks, which go by the name “exconfidential” or the more tongue-in-cheek label “Confidential & Proprietary,” are available in a public repository on GitLab
According to Bank Security, a researcher focused on banking threats and fraud, code from more than 50 companies is published in the repository. Not all folders are populated, though, but the researcher says that credentials are present in some cases.
Kottmann’s server shows code from fintech companies (Fiserv, Buczy Payments, Mercury Trade Finance Solutions), banks (Banca Nazionale del Lavoro), developers of identity and access management (Pirean Access: One) and games.
Kottmann told BleepingComputer that they find hardcoded credentials in the easily-accessible code repositories, which they try to remove as best as they can, to prevent direct harm and avoid contributing in any way to a larger breach.
“I try to do my best to prevent any major things resulting directly from my releases,” Kottmann told BleepingComputer
The developer admitted that they don’t always contact the affected companies before releasing the code, yet they make an effort to minimize the negative impact resulting from publishing.
Other people are involved in this project, contributing directly or indirectly with leaks or helping Kottmann better understand the nature of their finding when this is not clear to them.
Kottmann also says that they comply with takedown requests and gladly provide information that would strengthen the security of a company’s infrastructure. One leak from Daimler AG corporation behind the Mercedes-Benz brand is no longer present in the repository. Another empty folder has Lenovo in its name.
However, judging by the number of DMCA notices received (estimated at up to seven) and direct contact from legal or other representatives, many companies may not be aware of the leaks.
Some businesses that take notice of their code becoming public don’t bother to remove it. In at least one instance, several developers at one company just wanted to know how Kottmann got the code and did not ask to take it down, wishing “a lot of fun.”
Reviewing some of the code leaked on Kottmann’s GitLab server revealed that some of the projects have been made public by their original developer or had been last updated a long time ago.
Nevertheless, the developer told us that there are more companies with misconfigured devops tools exposing source code. Furthermore, they are exploring servers running SonarQube, an open-source platform for automated code auditing and static analysis to uncover bugs and security vulnerabilities.
Kottmann believes there are thousands of companies that expose proprietary code by failing to properly secure SonarQube installations.
In a Telegram channel, the developer offers details about leaks from others, including the Nintendo leak dubbed Gigaleak containing source code, development repos (lots of graphic prototypes) of multiple classic games (Super Mario World, a canceled Zelda 2 remake, Super Mario 64, The Legend of Zelda: Ocarina of Time).
It is unclear how much of the code on Kottmann’s server is proprietary and should be kept private. BleepingComputer has reached out to a number of companies listed in the collection to learn to what extent they are affected by the leaks.