Source code from big-name companies leaked online

Several big-name companies haven’t been putting enough protection around some of their source code, according to news reports.

According to Bleeping Computer, a security researcher called Tillie Kottmann has assembled a GitLab repository of source code from dozens of companies including Microsoft, Adobe, Lenovo, AMD, Qualcomm, Motorola, Hisilicon (owned by Huawei), Mediatek, GE Appliances, Nintendo, Roblox, Disney and Johnson Controls because of misconfigurations in their infrastructure.

Kottmann told the news site some companies are contacted before the code is posted. When asked, the source code is removed from the repository. In addition, because some of the code originally included hardcoded credentials where possible, these have been removed before being posted in the repository to avoid security issues.

Bleeping Computer said it isn’t clear how much of the code on Kottmann’s server is proprietary and should be kept private. After looking at some of the code it believes some projects have been made public by their original developer, while others are old enough that they haven’t been updated in a while.

This isn’t the first time corporate source code has been found with not enough protection. In January a Canadian security developer and researcher found two open GibHub accounts with application source code, internal user names and passwords, and private keys from Rogers Communications. Rogers said the code was obsolete. Last year the same researcher found source code belonging to Scotiabank on Github.

“From a technical standpoint, these leaks are not that dramatic,” Ilia Kolochenko, founder and CEO of web security company ImmuniWeb, said in an email.  “Most of the source code is worthless unless you have other pieces of technology and, importantly, people to make complicated systems work properly.  Moreover, the source code rapidly depreciates without daily support and improvement. Thus, unscrupulous competitors are unlikely to get much value unless they are seeking a very specific piece of software. Furthermore, unlawful usage of the source code is quite easily provable and may trigger multi-million lawsuits.”

But, he said, the researchers who posted the code may be sued for a variety of reasons including copyright infringement, conspiracy and violation of computer crime laws. Large companies are unlikely to go to court, he added, preferring to quickly remove the source code from the repository and remediate their internal DevOps security processes.

To prevent the loss of source code, organizations should revise and continuously monitor their DevOps operations, converting them into agile DevSecOps, he said.

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now