UPDATED 23:02 EST / JULY 27 2020

SECURITY

Source code from 50+ companies, including Nintendo, Microsoft and Adobe, published online

Source code from dozens of companies has been published online after a developer found the code exposed on public repositories.

More than 50 companies have had their source code published. They include Microsoft Corp., Adobe Systems Inc., Lenovo Group Ltd., Advanced Microsoft Devices Inc., Qualcomm Inc., Mediatek Inc., GE Appliances, Nintendo Co. Ltd. and the Walt Disney Co.

The developer, Tillie Kottmann, told Bleeping Computer today that it pulled the source code because of insecure DevOps applications that leave proprietary company information exposed. While noting that in releasing the code it does its best to prevent any major issues resulting directly from the releases, the developer admitted that affected companies are not always contacted before the code is released.

The published code from Nintendo is gaining much of the attention online because it gives an inside look at the source code behind a range of classic games including Mario, Mario Kart, Zelda, F-Zero and Pokemon series. The Nintendo code also includes pre-release art, fully playable prototypes of some games and even references to projects that were never completed.

“DevOps, DevSecOps and Configuration as Code, to name but a few buzzwords, all have a common element – they store source and potentially configuration information in code repositories,” Tim Mackey, principal security strategist at the Synopsys Cybersecurity Research Center, told SiliconANGLE. “The underlying technology used in many repositories was designed to facilitate collaboration within distributed teams, such as those common within open-source communities.”

Use of code repositories needs to be properly managed in order to avoid leaking critical information Mackey explained. “For example, an employee developing a set of QA tests will likely place their code in a repository,” he said. “If that code was intended as a prototype, they might not take precautions to properly manage secrets like passwords or access tokens. If the employee’s identity and employer is known, say via LinkedIn, and can be mapped to a repository, say GitHub, then a targeted attack could be mounted which looks for errors in judgement should the employee take short cuts when posting their prototype code.”

There’s some concern that the leaked code be used for nefarious purposes, such as a security specialist telling Tom’s Guide that “losing control of the source code on the internet is like handing the blueprints of a bank to robbers.” But other experts disagree.

“From a technical standpoint, these leaks are not that dramatic,” said Ilia Kolochenko, founder and chief executive officer of web security company ImmuniWeb. “Most of the source code is worthless unless you have other pieces of technology and, importantly, people to make complicated systems work properly. Moreover, the source code rapidly depreciates without daily support and improvement. Thus, unscrupulous competitors will unlikely to get much value unless they are seeking a very specific piece of software.”

Image: Pikist

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU