Source code from exposed repositories of dozens of companies across various fields of activity (tech, finance, retail, food, eCommerce, manufacturing) is publicly available as a result of misconfigurations in their infrastructure, Bleeping Computer reported.
A public repository of leaked code includes big names like Microsoft, Adobe, Lenovo, AMD, Qualcomm, Motorola, Hisilicon (owned by Huawei), Mediatek, GE Appliances, Nintendo, Roblox, Disney, Johnson Controls; and the list keeps growing. The leaks have been collected by Tillie Kottmann, a developer and reverse engineer, from various sources and from their own hunting for misconfigured devops tools that offer access to source code.
A large number of these leaks, which go by the name “exconfidential” or the more tongue-in-cheek label “Confidential & Proprietary,” are available in a public repository on GitLab
According to Bank Security, a researcher focused on banking threats and fraud, code from more than 50 companies is published in the repository. Not all folders are populated, though, but the researcher says that credentials are present in some cases.
In an email to the IT Security Guru, Niamh Muldoon, senior director of trust and security at OneLogin, commented: “Engineering and Development organisations and communities have powerful access privileges to systems and data, and therefore, need to have and maintain a security-conscious mindset at all times. There is no room for accidental errors. All their access to production environments and associated code repositories should be subject to two-factor authentication and this two-factor authentication should be required again for successful execution of high privileges such as code updates and/or production configuration changes. The additional authentication associated with execution of high-privileges is commonly known as enhanced multi-factor authorisation.”
Tim Makey, principal security strategist at the Synopsys CyRC, added: “DevOps, DevSecOps and Configuration as Code, to name but a few buzzwords, all have a common element – they store source and potentially configuration information in code repositories. The underlying technology used in many repositories was designed to facilitate collaboration within distributed teams, such as those common within open source communities. When used in a business environment, code repositories offer the same benefits, but their usage needs to be properly managed in order to avoid leaking critical information.”
Makey explained that sometimes, if code was intended as a prototype, employees might not take the necessary precautions to properly manage secrets like passwords or access tokens. “If the employee’s identity and employer is known, say via LinkedIn, and can be mapped to a repository, say GitHub, then a targeted attack could be mounted which looks for errors in judgement should the employee take short cuts when posting their prototype code. Since code repositories often retain past edits, even if the error in judgement is fixed in a patch, that error may still remain in the history. In effect, such an attack pattern uses the strengths of the technology (historical records) as the lever behind an exploitable weakness (errors in human judgement).”
According to Makey, this repository of code, and associated attack pattern, should serve as an opportunity to remind IT and engineering organizations that periodic reviews of repository configuration and developer usage of repositories is a key component of any cybersecurity initiative. This includes having a monitoring process for any code branching activities and implementing rigorous code reviews to ensure that company secrets aren’t accidentally posted in any publicly accessible forum.