Source code from 50+ companies, including Nintendo, Microsoft and Adobe, published online
Source code from dozens of companies has been published online after a developer found the code exposed on public repositories.
More than 50 companies have had their source code published. They include Microsoft Corp., Adobe Systems Inc., Lenovo Group Ltd., Advanced Microsoft Devices Inc., Qualcomm Inc., Mediatek Inc., GE Appliances, Nintendo Co. Ltd. and the Walt Disney Co.
The developer, Tillie Kottmann, told Bleeping Computer today that it pulled the source code because of insecure DevOps applications that leave proprietary company information exposed. While noting that in releasing the code it does its best to prevent any major issues resulting directly from the releases, the developer admitted that affected companies are not always contacted before the code is released.
The published code from Nintendo is gaining much of the attention online because it gives an inside look at the source code behind a range of classic games including Mario, Mario Kart, Zelda, F-Zero and Pokemon series. The Nintendo code also includes pre-release art, fully playable prototypes of some games and even references to projects that were never completed.
“DevOps, DevSecOps and Configuration as Code, to name but a few buzzwords, all have a common element – they store source and potentially configuration information in code repositories,” Tim Mackey, principal security strategist at the Synopsys Cybersecurity Research Center, told SiliconANGLE. “The underlying technology used in many repositories was designed to facilitate collaboration within distributed teams, such as those common within open-source communities.”
Use of code repositories needs to be properly managed in order to avoid leaking critical information Mackey explained. “For example, an employee developing a set of QA tests will likely place their code in a repository,” he said. “If that code was intended as a prototype, they might not take precautions to properly manage secrets like passwords or access tokens. If the employee’s identity and employer is known, say via LinkedIn, and can be mapped to a repository, say GitHub, then a targeted attack could be mounted which looks for errors in judgement should the employee take short cuts when posting their prototype code.”
There’s some concern that the leaked code be used for nefarious purposes, such as a security specialist telling Tom’s Guide that “losing control of the source code on the internet is like handing the blueprints of a bank to robbers.” But other experts disagree.
“From a technical standpoint, these leaks are not that dramatic,” said Ilia Kolochenko, founder and chief executive officer of web security company ImmuniWeb. “Most of the source code is worthless unless you have other pieces of technology and, importantly, people to make complicated systems work properly. Moreover, the source code rapidly depreciates without daily support and improvement. Thus, unscrupulous competitors will unlikely to get much value unless they are seeking a very specific piece of software.”
Since you’re here …
Show your support for our mission with our one-click subscription to our YouTube channel (below). The more subscribers we have, the more YouTube will suggest relevant enterprise and emerging technology content to you. Thanks!
Support our mission: >>>>>> SUBSCRIBE NOW >>>>>> to our YouTube channel.
… We’d also like to tell you about our mission and how you can help us fulfill it. SiliconANGLE Media Inc.’s business model is based on the intrinsic value of the content, not advertising. Unlike many online publications, we don’t have a paywall or run banner advertising, because we want to keep our journalism open, without influence or the need to chase traffic.The journalism, reporting and commentary on SiliconANGLE — along with live, unscripted video from our Silicon Valley studio and globe-trotting video teams at theCUBE — take a lot of hard work, time and money. Keeping the quality high requires the support of sponsors who are aligned with our vision of ad-free journalism content.