[BreachExchange] Internal source code from 50 high-profile companies including Microsoft, Disney, and Nintendo has been leaked and posted online for people to access
Destry Winant
destry at riskbasedsecurity.com
Tue Jul 28 10:27:05 EDT 2020
https://www.businessinsider.com/software-source-code-leaked-microsoft-nintendo-2020-7
Internal software source code from more than 50 high-profile companies
across tech, finance, retail, and other sectors has been leaked
online.
Originally reported by the tech site Bleeping Computer, a Swiss
developer named Tillie Kottmann was able to pull source code from the
likes of Microsoft, Nintendo, Disney, Motorola, and others because of
insecure DevOps applications that leave proprietary company
information exposed. Kottmann posted the code on the online repository
manager GitLab, which anyone can access, tagged under "exconfidential"
and "Confidential & Proprietary." The developer posted a link to the
online repository on their Twitter account.
The leaked Nintendo code especially gained attention from the gaming
world — it gives an inside look at the source code behind some of the
company's most classic games, as Polygon reports. The leaked Nintendo
code has been dubbed the "GigaLeak" online.
Making the source code available for public viewing could allow cyber
attackers to more easily scrounge for confidential company
information, as security specialist Jake Moore told tech blog Tom's
Guide.
"Losing control of the source code on the internet is like handing the
blueprints of a bank to robbers," Moore told the site.
According to Bleeping Computer, Kottmann is responsive to requests
from the companies to take down their source code. A leak that had
previously revealed code from Daimler, the parent company to
Mercedez-Benz, is no longer listed in the online repository. But some
firms, according to the report, may not even notice that their source
code has been published online. And even when they are made aware,
they may not care — developers at one company simply wanted to know
how Kottmann was able to pull the code collection off, per the report,
and said to have "a lot of fun."
Kottmann told Bleeping Computer that they attempt to remove hardcoded
credentials, which are embedded credentials generally used to create
backdoors, from the companies' source code before publishing it to
avoid an even more robust security breach.
"I try to do my best to prevent any major things resulting directly
from my releases," the developer told the outlet.
Kottmann's Twitter account bio in part reads "probably leaking your
source code right now." The account's pinned tweet is a crowdsourcing
post asking for "any confidentiality, documents, binaries or source
code, which you think should be made available to the public..."
More information about the BreachExchange
mailing list