The Swiss Android developer Till Kottmann has discovered a number of data leaks that unintentionally disclose access to source code through his own research into incorrectly configured DevOps tools – including SonarQube server, for example – as well as various other sources. The vulnerabilities affected around 50 companies from a wide range of industries, such as finance, technology, retail, manufacturing and eCommerce. According to Bank Security researchers, the data leaks are found not only at some banks and providers of identity and access management, but also well-known companies such as Microsoft, Lenovo, Nintendo, AMD, Motorola, Disney and the Huawei subsidiary Hisilicon.
Detect data leaks, close data leaks
Kottmann has collected the leaked code of around 50 companies, which can obviously be classified as “Confidential & Proprietary”, in a publicly accessible GitLab repository. It is still unclear to which parts the disclosed code of affected companies is proprietary. Sometimes the code also contains hard-coded access data – the companies concerned were not always contacted in advance, as the Swiss admitted to the online portal Bleeping Computer on request, but he strives to “minimize the negative impact of the publication”.
Apparently Kottmann offers affected companies as a service to close the leaks. So far, however, not all of those contacted by him have decided to seal the leaks. In addition, however, some of the developers behind the source codes published in Kottmann’s GitLab repository have now informed about the data leaks.
According to Kottmann, one of the most common reasons for data leaks is a poorly or even incorrectly configured infrastructure. In particular, DevOps tools such as the open source platform SonarQube, whose services for automated debugging and static code analysis are used by many developers to identify vulnerabilities, could themselves be the cause of a data leak. If the installation is not configured securely, it can also make proprietary code accessible, explains Kottmann.
The developer reports on his website, on a Telegram channel and on Twitter under his pseudonym deletescape regularly about leaks. Among other things, he also explained a major leak at Nintendo called Gigaleak, which made the source code and development repositories of some classic games accessible.