UPDATED Tuesday, July 28 with comment from Tillie Kottmann.
More than 50 high-profile companies have had their software source code made freely available online, partly as the result of incorrectly configured infrastructure.
Software source code belonging to household names such as Adobe, Microsoft, Lenovo, Qualcomm, AMD, Motorola, GE Appliances, Nintendo, Disney, Daimler, Roblox and many other companies was collected and placed in an online repository.
- Best antivirus: keep your data and devices safe from hackers
- Malicious Android apps affect 3.5 million users — what to do
- Just in: 2020 Emmy nominees: Here's the full list (and where to stream them)
This may be related to a huge dump of Nintendo source code (opens in new tab) that started appearing online June 24. Tom's Guide could not confirm a link because the Nintendo data seems to have been removed from the GitLab repository of company code at the heart of this story.
However, the hacker who posted some of these files has explained the provenance of the Nintendo source code. We've added a bit at the end of our story.
According to a report by Bleeping Computer (opens in new tab), the leaked code was collected by Swiss software developer Tillie Kottmann (opens in new tab) and put under the names “exco confidential” and “confidential & proprietary” in a GitLab repository that can be accessed by anyone.
Kottmann amassed a large bulk of source code by scanning third-party sources and misconfigured DevOps applications. The leaks affect a broad variety of companies from tech giants to retailers.
Pseudonymous security researcher Bank Security (opens in new tab) estimates that more than 50 firms had their source code made available in the repository.
“The source code related to over 50 companies has been leaked and posted on a public repository,” tweeted Bank Security. “In some cases there are hard-coded credentials.”
Bank Security posted a list of the affected companies (opens in new tab) on Pastebin. It is safe to view the list.
Many sectors impacted
Bleeping Computer pointed out that within Kottmann’s repository, source code from organizations in industries such as fintech, banks, gaming, and identity and access management software was also published online.
Kottmann explained to Bleeping Computer that they (Kottmann identifies as non-binary) had come across hard-coded credentials in the repositories but took steps to stop them from being abused: “I try to do my best to prevent any major things resulting directly from my releases.”
fyi, hardcoded credentials have generally been stripped in the releases on a best effort basis.July 26, 2020
While Kottmann doesn’t report the leaks to the affected companies all the time, they said they will respond to takedown notices and ensure this information isn’t used to cause further damage.
It’s likely that Daimler AG and Lenovo issued such requests, as the former doesn’t appear in the repository anymore and the latter simply has a folder with nothing in it. Some companies probably don’t even know that their source code has ended up online in a public respiratory.
Tom's Guide is not providing a link to Kottmann's GitLab repository, as doing so would be questionable both ethically and legally, but it can be found by scrolling through Kottmann's recent tweets.
Jake Moore, a security specialist at ESET, told Tom’s Guide: “Losing control of the source code on the internet is like handing the blueprints of a bank to robbers.
“This list will be viewed by cyber criminals far and wide looking for vulnerabilities as well as confidential information in a scarily short space of time.”
He recommends: “Those websites affected will immediately need to put further protection measures in place to help protect those sites from the inevitable increase in nefarious traffic to avoid further data compromises. However, it appears not all of the sites will have been made aware yet which can rub salt into the wound should the end users find out before the companies themselves.”
Update: Kottmann clarifies the Nintendo situation
Kottmann reached out to Tom's Guide Tuesday (July 28) concerning the Nintendo source code and why it didn't appear in the GitLab repository.
"The Nintendo Gigaleak does not originate from me," Kottmann wrote. "We simply reshare some popular leaks on our Telegram channel sometimes, and repack them in more easily accessible formats for most people."
In fact, the Nintendo code was never on GitLab, they added.
"Nintendo is notorious for quick takedowns," Kottmann wrote, "so I usually host that elsewhere or directly provide zips/torrents on our Telegram channel."
- More: Stay anonymous and safer online with the best VPN