The internal source code of more than 50 high-profile companies has been leaked to an online repository allowing people to access it.
Source code from notable tech companies like AMD, Microsoft, Qualcomm, and Nintendo was confirmed to have been leaked. Companies like Roblox, Johnson Controls, GE Appliances, and Disney were are also on the list.
Reports revealed that the source code was collected by developer and engineer Tillie Kottmann. It appears that these companies are using an unsecured public repository to store their internal code. A misconfiguration of their code repository allowed the leak in the first place.
Operation Confidential and Proprietary
Many of the leaked source codes now carry the label “exconfidential.” Majority of which are also stored in a public repository on GitLab and are publicly accessible.
The most worrisome aspect of this leak is the fact that it affected several financial companies. Notable institutions like Banca Nazionale del Lavoro, Fiserv, and Mercury Trade Finance Solutions are among them.
To prevent malicious use of the source code, Kottmann said that they removed hardcoded credentials before posting it. This is to make sure that malicious users cannot use these credentials to mount a larger hack.
⚠️ The affected giants include #Nintendo, #Microsoft, Adobe, Lenovo, AMD, Qualcomm, Mediatek, GE Appliances, etc. In some instances, login credentials are hardcoded!
Full Story: https://t.co/b4MciF5Y5s#CyberSecurity #SourceCode #Leaks #GitLab
— Hackread.com (@HackRead) July 27, 2020
Kottmann said that once they find a flaw in a system, they don’t necessarily contact the affected company. Nevertheless, he adds that they try to clean the code of sensitive data to prevent further attacks.
Kottmann and his team also comply with requests from companies to remove their source code online. In a previous leak, Daimler requested to have their code to be removed from the online repository. Kottmann obliged with the request and promptly removed the Daimler code.
Developing security
In the tech community, exposing source code to try to force a company to make security upgrades is common. Some companies are proactively doing this.
Companies are launching bug bounty programs that allow hackers to attack their systems deliberately. This way, bugs and glitches will be discovered before a particular product goes into production.
Kottmann said that they are still investigating multiple companies with perceived vulnerabilities. He adds that thousands of companies have exposed systems that are extremely vulnerable to hacking. On top of that, companies are also using misconfigured DevOps tools that expose their system.
Despite the apparent danger of leaked source code, some companies appear just to turn a blind eye. Some developers are even keen to learn how Kottmann pulled the code heist of that magnitude.
Featured image courtesy of oatawa/Shutterstock