fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Source Code From Dozens Of Companies Leaked Online

Source Code From Dozens Of Companies Leaked Online

Source code from exposed repositories of dozens of companies across various fields of activity (tech, finance, retail, food, eCommerce, manufacturing) is publicly available as a result of misconfigurations in their infrastructure.

A public repository of leaked code includes big names like Microsoft, Adobe, Lenovo, AMD, Qualcomm, Motorola, Hisilicon (owned by Huawei), Mediatek, GE Appliances, Nintendo, Roblox, Disney, Johnson Controls; and the list keeps growing.

Operation ‘Confidential & Proprietary’

The leaks have been collected by Tillie Kottmann, a developer and reverse engineer, from various sources and from their own hunting for misconfigured devops tools that offer access to source code.

A large number of these leaks, which go by the name “exconfidential” or the more tongue-in-cheek label “Confidential & Proprietary,” are available in a public repository on GitLab

According to Bank Security, a researcher focused on banking threats and fraud, code from more than 50 companies is published in the repository. Not all folders are populated, though, but the researcher says that credentials are present in some cases.

Kottmann’s server shows code from fintech companies (Fiserv, Buczy Payments, Mercury Trade Finance Solutions), banks (Banca Nazionale del Lavoro), developers of identity and access management (Pirean Access: One) and games.

Kottmann told BleepingComputer that they find hardcoded credentials in the easily-accessible code repositories, which they try to remove as best as they can, to prevent direct harm and avoid contributing in any way to a larger breach.

“I try to do my best to prevent any major things resulting directly from my releases,” Kottmann told BleepingComputer

The developer admitted that they don’t always contact the affected companies before releasing the code, yet they make an effort to minimize the negative impact resulting from publishing.

Other people are involved in this project, contributing directly or indirectly with leaks or helping Kottmann better understand the nature of their finding when this is not clear to them.

Also read: 4 easy guides to data breach assessment

Takedown compliance

Kottmann also says that they comply with takedown requests and gladly provide information that would strengthen the security of a company’s infrastructure. One leak from Daimler AG corporation behind the Mercedes-Benz brand is no longer present in the repository. Another empty folder has Lenovo in its name.

However, judging by the number of DMCA notices received (estimated at up to seven) and direct contact from legal or other representatives, many companies may not be aware of the leaks.

Some businesses that take notice of their code becoming public don’t bother to remove it. In at least one instance, several developers at one company just wanted to know how Kottmann got the code and did not ask to take it down, wishing “a lot of fun.”

More hunting

Reviewing some of the code leaked on Kottmann’s GitLab server revealed that some of the projects have been made public by their original developer or had been last updated a long time ago.

Nevertheless, the developer told us that there are more companies with misconfigured devops tools exposing source code. Furthermore, they are exploring servers running SonarQube, an open-source platform for automated code auditing and static analysis to uncover bugs and security vulnerabilities.

Kottmann believes there are thousands of companies that expose proprietary code by failing to properly secure SonarQube installations.

In a Telegram channel, the developer offers details about leaks from others, including the Nintendo leak dubbed Gigaleak containing source code, development repos (lots of graphic prototypes) of multiple classic games (Super Mario World, a canceled Zelda 2 remake, Super Mario 64, The Legend of Zelda: Ocarina of Time).

It is unclear how much of the code on Kottmann’s server is proprietary and should be kept private. BleepingComputer has reached out to a number of companies listed in the collection to learn to what extent they are affected by the leaks.

Also read: 7 Client Data Protection Tips to Keep Customers Safe

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us