The operator of a public repository on GitLab has uploaded a treasure trove of source code from dozens of high-profile companies across tech, retail, finance, e-commerce and other sectors. The leaked data was reportedly compiled in a repository by Tillie Kottmann, a developer and reverse engineer. Some of the leaked code was collected from various online sources. However, the rest was said to have been discovered by Kottmann while looking for misconfigured devops tools.
According to cyber-security researcher, @Bank_Security, code from more than 50 companies is published in the repository. While some of the folders are empty, others are said to contain actual credentials. Some of the companies whose codes are found on the repo include Microsoft, Adobe, Lenovo, AMD, Qualcomm, Motorola, Huawei Hisilicon, Mediatek, GE Appliances, Nintendo, Roblox, Disney and more.
The source code related to over 50 companies has been leaked and posted on a public repository.
In some cases there are hard-coded credentials.
— Bank Security (@Bank_Security) July 26, 2020
Meanwhile, Kottmann claims that the hardcoded credentials have been removed from the source codes ‘on a best effort basis’. In an interview to Bleeping Computer, they said: “I try to do my best to prevent any major things resulting directly from my releases”. The developer, however, admitted that they don’t always contact the affected companies before releasing the code. That said, Kottmann claimed that they always comply with takedown requests. Kottmann even volunteered to provide all information to the affected companies to strengthen their security infrastructure.
Meanwhile, the report suggests that some of the projects available in the Kottmann’s repo were made public by their original developers themselves, while others were last updated a long time ago. What’s more, it’s not immediately clear either as to how much of the code on Kottmann’s server is proprietary. It will be interesting to get more information regarding this leak in the days ahead.