Recently, source code of some high-profile companies was leaked online. A developer and reverse engineer going by the name Tille Kottmann leaked these source codes. He was able to pull the source codes of Microsoft, Adobe, AMD, Disney, Motorola, Nintendo, Qualcomm, Mediatek, Roblox, GE Appliances and more. He has published the codes on Github.
Kottmann was able to collect the data by searching misconfigured DevOps tools and several other tools. After that, he has tagged the data under “exconfidential” and “Confidential & Proprietary” in Github. In addition, anyone can access these data.
However, Bank Security has reported that not all repositories posted with data have content in them. Some folders have hard-coded credentials in them. One of the high-profile leaks is the source-code of Nintendo games. Also called the “GigaLeak”, the leaked source-code includes source-code of some popular Nintendo games like Super Mario Kart, The Legend of Zelda: A Link to the Past, and Yoshi’s Island.
Kottmann has said that he has tried removing the hard-coded credentials from the posted data while talking to BleepingComputer. This is to prevent hackers to get an opportunity to misuse them. He said to BleepingComputer, “I try to do my best to prevent any major things resulting directly from my releases.”
About the takedown of leaked source code
The developer said that they do not always inform affected companies and they did not contact the companies this time as well. However, Kottmann said that he will comply with the takedown requests from the companies. In addition, he would also gladly provide information about the security breach and how they can strengthen them.
However, it seems like many companies are not even aware of the leak. Some companies are more interested to know how he got the info instead of taking it down as well.
Also, Kottmann said that there are many companies that has exposed their source code due to misconfigured devop tools. Furthermore, he also believes that there are thousands of other companies that have not properly secured SonarQube installations. As a result, these companies have exposed their proprietary code.