Source code from exposed repositories of dozens of companies across various sectors (tech, finance, retail, food, eCommerce, manufacturing) is publicly available, because of misconfigurations in their infrastructure.
Leaked code includes big names like Microsoft, Adobe, Lenovo, AMD, Qualcomm, Motorola, Hisilicon (owned by Huawei), Mediatek, GE Appliances, Nintendo, Roblox, Disney, Johnson Controls; & the list keeps growing.
The leaks have been collated by Tillie Kottmann, a developer & reverse engineer, from various sources & from their own hunting for misconfigured devops tools, that give access to source code.
Many of these leaks, which go by the name “exconfidential” or the label “Confidential & Proprietary,” are available in a public repository on GitLab
Says Bank Security, a researcher focused on banking threats & fraud, code from over 50 companies is published in the repository. Not all folders have data, though, but the researcher says that credentials are present in some cases.
Kottmann’s server shows code from fintech companies (Fiserv, Buczy Payments, Mercury Trade Finance Solutions), banks (Banca Nazionale del Lavoro), developers of identity & access management (Pirean Access: One) & games.
Kottmann told Bleeping Computer that they find hardcoded credentials in the easily-accessible code repositories, which they try to remove as far as possible, to prevent direct harm & avoid contributing to a bigger breach.
“I try to do my best to prevent any major things resulting directly from my releases,” Kottmann explained to Bleeping Computer
The developer commented that they do not always contact the affected companies before releasing the code, but they make some effort to minimise the negative impact resulting from publishing.
Others are involved in the project, contributing directly or indirectly with leaks, or helping Kottmann better understand findings when this is not clear.
Kottmann also commented that they comply with take-down requests, & gladly provide information that would help strengthen the security of a company’s infrastructure. One leak from Daimler AG corporation behind the Mercedes-Benz brand is no longer present in the repository. Another empty folder has ‘Lenovo’ in its name.
However, to judge by the amount of DMCA notices received (estimated at up to 7) & direct contact from legal or other representatives, many companies may be unaware of the leaks.
Some businesses that take notice of their code becoming public do not remove it. In at least one case, several developers at one company simply wanted to know how Kottmann got the code & did not ask to take it down, wishing “a lot of fun.”
Looking at some of the code leaked on Kottmann’s GitLab server explained that some of the projects have been made public by their original developer or had been last updated a while ago.
Nevertheless, the developer told us that there are more companies with misconfigured devops tools exposing source code. Also, they are exploring servers running SonarQube, an open-source platform for automated code auditing and static analysis to uncover bugs & security vulnerabilities.
Kottmann thinks there are 1,000s of companies that expose proprietary code by failing to properly secure SonarQube installations.
In a Telegram channel, the developer offers details about leaks from others, including the Nintendo leak dubbed Gigaleak containing source code, development repos (lots of graphic prototypes) of multiple classic games (Super Mario World, a cancelled Zelda 2 remake, Super Mario 64, The Legend of Zelda: Ocarina of Time).
It is not clear how much of the code on Kottmann’s server is proprietary & should be kept private. Bleeping Computer has reached out to a number of companies listed in the collection to learn to what extent they are affected by the leaks.