Internal Source Code From 50 Different High-Profile Companies Are Leaking To The Internet

27/07/2020

Internal software source code from more than 50 high-profile companies in different industries from tech to finance, retail and others, has been leaked to the web.

First reported by tech website Bleeping Computer, the data was compiled by a Swiss citizen named Tillie Kottmann.

The developer and reverse engineer found the various codes when he was haunting for misconfigured DevOps tools that offer access to source code. It was during this time that he was able to pull source code from companies like Microsoft, Adobe, AMD, Qualcomm, Disney, Motorola, GE Appliances, and others.

And the list keeps growing.

Kottmann posted the code on the online repository manager GitLab, which anyone can access, tagged under "exconfidential" and "Confidential & Proprietary." Not all folders are populated, but the researcher said that credentials are present in some of the cases.

The developer also posted a link to the online repository on his Twitter account.

Just some of the subgroups and project titles shared by Tillie Kottmann
Just some of the subgroups and project titles shared by Tillie Kottmann. (Credit: Bleeping Computer)

Kottmann said that there are hardcoded credentials in the easily-accessible code repositories, which he tried to remove as best as he can, in order to prevent direct harm to the companies, and also to avoid contributing in any way to a larger breach.

“I try to do my best to prevent any major things resulting directly from my releases,” Kottmann said.

The developer admitted that he doesn't always contact the affected companies before releasing the code, but he made an effort to minimize the negative impact resulting from the publishing.

Other people can also contribute directly or indirectly with the leaks if they want to.

Kottmann said that he complies with takedown requests, and will gladly provide the necessary information that would strengthen the security of a the affected companies' infrastructure.

Initially, some big companies were quickly aware of the issue. Daimler AG corporation behind the Mercedes-Benz brand for example, and Lenovo, were quick in addressing the leak.

However, judging by the number of DMCA notices received, and direct contact from legal or other representatives, many companies may not be aware of the leaks. And even if they do, they may not care.

In one instance, developers at one company simply wanted to know how Kottmann was able to get the source code, per the report, and said to have "a lot of fun."

After people started reviewing some of the code leaked on Kottmann’s GitLab server, it was revealed that some of the source code projects were actually made public by their original owners/developers, or had been last updated a long time ago.

Nevertheless, Kottmann said that there are many companies with misconfigured DevOps that resulted in the exposure of their source code.

Kottmaan is also exploring servers running SonarQube, an open-source platform for automated code auditing and static analysis to uncover bugs and security vulnerabilities.

Kottmann believes there are thousands of companies that may have been exposed by failing to properly secure their SonarQube installations.

Using an open-source tool called Sloot, Kottman shows how the little tool can download all source code from public SonarQube instances.

From the growing list of companies that had their internal source code leaked, Nintendo is gaining much of the attention online, simply because it gives an inside look at the source code behind a range of classic games including Mario, Mario Kart, Zelda, F-Zero and Pokemon series.

The Nintendo code also includes pre-release art, fully playable prototypes of some games and even references to projects that were never completed.

It is at this time unclear about how much of the source code on Kottmann's server is proprietary and should be kept private. BleepingComputer has reached out to a number of companies listed in the collection to learn to what extent they are affected by the leaks.