Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Protection

Source Code From Major Firms Leaked via Unprotected DevOps Infrastructure

Source code belonging to tens of companies, including several major organizations, has been leaked online after it was found on unprotected DevOps infrastructure.

Source code belonging to tens of companies, including several major organizations, has been leaked online after it was found on unprotected DevOps infrastructure.

Swiss-based IT consultant Till Kottmann has posted a list of roughly 50 companies that at some point exposed source code. For some of the impacted organizations the code has been removed from the repository, but in many cases it’s still available.

Kottmann told SecurityWeek that the source code they’ve made public, much of which appears to be proprietary, mostly comes from improperly configured or exposed DevOps infrastructure. The researcher says the information mainly originates from SonarQube instances, but also from GitLab and Jenkins.

“Some of the things are also sent to me by various sources,” Kottmann explained. “I usually do not know how they obtained the code.”

The list of impacted companies appears to include Microsoft, Adobe, Johnson Controls, GE, AMD, Lenovo, Motorola, Qualcomm, Mediatek, Disney, Daimler, Roblox, Nintendo and various organizations in the software, hardware, healthcare, finance, automotive, travel and industrial sectors.

Source code from many companies leaked

Microsoft did not want to comment on the source code leak. Adobe told SecurityWeek that it’s aware of the website hosting the source code and it’s working on having the content removed. The Adobe source code is still online at the time of publishing.

“We have no evidence to suggest that any Adobe systems or customers have been compromised due to this issue,” the company stated.

Kottmann said they try not to release anything that could put individuals in danger and they attempt to censor any credentials they find before making the code public. They also noted that impacted vendors have not been notified, unless important information (e.g. healthcare information) has been identified in the exposed files, in which case the data will not be made public and the vendor will be contacted.

Advertisement. Scroll to continue reading.

“There are multiple aspects to this [project],” Kottmann explained. “It will hopefully show some companies that their own infrastructure also needs to be protected. I am also very curious and so are many other people, and this gives an interesting inside view into how (unfortunately often badly) proprietary projects are built.”

“In the case of things like Mediatek or Qualcomm this is obviously also about allowing people to do with their (mobile) devices what they please, and make things like custom roms easier,” the researcher added. “Lastly there is also, at least for some of these releases, certainly a political aspect that plays a role, but the other reasons overshadow this mostly.”

Related: BlueLeaks: Data From Hundreds of Law Enforcement Organizations Leaked Online

Related: Hackers Leak Data Stolen From UK Electricity Market Administrator Elexon

Related: Unprotected Database Exposed 5 Billion Previously Leaked Records

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.