Software belonging to over 50 high profile companies is available online because of misconfiguration of their software development platforms. The source code leak affects companies across various fields such as tech, finance, retail, food, eCommerce, and manufacturing. Analysis of the code leaked also revealed bad security practices of storing login credentials by some of the affected companies.
Companies affected by the source code leak
Experts say although only a handful of companies are known, the breach probably affects thousands of other enterprises across various domains. Renown companies currently confirmed to be affected by the source code leak include Microsoft, Adobe, AMD, Disney, GE Appliances, Hisilicon, Johnson Controls, Lenovo, MediaTek, Motorola, Nintendo, and Roblox.
Fintech companies affected by the source code leak include Fiserv, Buczy Payments, Mercury Trade Finance Solutions. Other companies include banks, such as Banca Nazionale del Lavoro, and developers of identity and access management, such as Pirean Access: One. Games companies include the makers of Super Mario World, a canceled Zelda 2 remake, Super Mario 64, The Legend of Zelda: Ocarina of Time. In addition to source code, the Nintendo leak known as Gigaleak contained development repos consisting of various graphic prototypes.
Origin of the source code leak
Tillie Kottmann, a Swiss software developer and reverse engineer, collected the source code from misconfigured DevOps applications. The researcher created a public repository on GitLab named “exconfidential” and “Confidential & Proprietary.”
The developer was also investigating SonarQube to find similar source code repositories left unsecured and accessible to the public.
The original owners probably released some of the repositories included in the source code leak. Furthermore, other products were last updated a long time ago, indicating the source code may no longer be in use.
Surprisingly, Kottmann found hardcoded credentials in the exposed repositories. The programmer said they removed the login details before publishing the code to protect the security of the affected products.
Kottmann, however, admitted that they do not notify the companies before publishing the code, but complies with takedown requests. The Swiss programmer said they also shared additional information with the affected companies to help them harden their security measures.
Kottmann noted that some companies are not interested in removing the source code and only aks for information on how they obtained the source code. The developer said some companies told them to have “a lot of fun” with the code, indicating such logic was probably obsolete.
However, some code remains valuable to the company, and up to seven DCMA complaints and legal notices emerged from the source code leak. Other affected companies are also unaware that their code is available in the public domain.
Some of the published folders in the source code leak are empty, implying that Kottmann possibly removed the code after receiving takedown requests. Daimler AG and Lenovo are among the companies who probably made the appeals.
Implications of the source code leak
Although some of the source code may be outdated, releasing the logic of various devices allows hackers to understand the low-level operations of such devices. Such knowledge is crucial in finding vulnerabilities of the current products whose earlier version were affected by the source code leak.
However, not every expert believes the source code leak was of any consequence. Ilia Kolochenko, Founder & CEO of web security company ImmuniWeb, says unmaintained source code becomes worthless after very few iterations.
“From a technical standpoint, these leaks are not that dramatic. Most of the source code is worthless unless you have other pieces of technology and, importantly, people to make complicated systems work properly. Moreover, the source code rapidly depreciates without daily support and improvement. Thus, unscrupulous competitors will unlikely to get much value unless they are seeking a very specific piece of software. Furthermore, unlawful usage of the source code is quite easily provable and may trigger multi-million lawsuits.”