Source Code Leaks
Source code is exactly what it sounds like. It’s the code that, when compiled, becomes the software or program that users see and experience. With a program’s source code, you can understand, control or alter the end product. And access to this code means you may be able to copy, disable, or breach an application. Often, that access can reveal trade secrets that help competitors.
Source code is the proverbial key to the kingdom - so, code leaks are a serious problem. Sometimes an attacker maliciously leaks source code. Sometimes an honest mistake is to blame. Other times, it’s an “inside job.” Regardless of how the code is leaked, the result is the same: lost revenue and staggering security implications.
In this post, we'll talk about some high-profile examples of source code leaks. But before that, let's define what a source code leak is.
What is it?
A source code leak is when an event reveals application or operating system code outside of the company that owns it. It’s a type of data disclosure that reveals the inner workings of a company’s important intellectual property.
How is Source Code Leaked?
There are a few different types of source code leaks.
- Attacks: Hackers can steal source code via security breaches. For example, an attacker may compromise a developer’s login and steal code from the company’s source code control system or from a developer’s laptop.
- Leaks: Disgruntled, unethical, or careless employees may release source code to the public for personal reasons.
- Mistakes: Companies may leak source via self-inflicted mistakes. This happens via insecure source code repositories or release media that includes code that shouldn’t be there.
What’s the Impact?
These revelations impact businesses in several different ways:
- Intellectual property: Source code is intellectual property that usually represents years of labor. When it’s revealed to competitors, it often means losing a competitive advantage since the code contains trade secrets or not yet released features.
- Company reputation: Any security breach has an immediate impact on a company’s standing, but losing something as critical as source code has a significant impact on trust.
- Security breaches: Attackers can often use source code to find or create security exploits. This means that a source code leak may be the first step in a large security compromise.
Examples of Source Code Leaks
In 2022, Microsoft had its source code allegedly leaked by the hacking group Lapsus$. The group alleges they released source code for Bing, Cortana, and other projects stolen from Microsoft's internal Azure DevOps server.
The Lapsus$ group posted a screenshot on their Telegram channel showing that they hacked into Microsoft's Azure DevOps server containing source code for Bing, Cortana, and several other internal projects.
According to Bleeping Computer, Lapsus$ leaked the code with a torrent file containing data about the different versions of Windows operating systems.
Security researchers who analyzed the leaked files told Bleeping Computer that they appear to be legitimate internal Microsoft source code.
Microsoft claimed that the impact of the leak is low because “Microsoft does not rely on the secrecy of code as a security measure and viewing source code does not lead to elevation of risk.”
In 2020, a security engineer discovered an unsecured source code repository belonging to Daimler AG, the company that makes Mercedes-branded vehicles.
The engineer was able to download more than 500 different source code repositories, including the code for onboard logic units (OLUs) that connect vehicles to the cloud. The OLU is the interface between the vehicle and third-party apps that retrieve data from the vehicle, like speed and location.
The engineer found the server via Google searches, which means the site was not only publicly accessible, but at least partially indexed by search engines. So, this is an example of a self-inflicted source code leak.
In addition to the source code, the leaked data also included passwords and API tokens that shouldn't be in source control, and could be used in further attacks.
In 2018 Apple suffered an embarrassing source code leak when an intern took source code with them as they left the company. The code was already out of date when leakers revealed it to the public, but security researchers said it was still useful for analyzing how Apple implemented secure boot on the iPhone and iPad.
According to people close to the intern, they didn’t bear any ill will toward Apple, and they weren’t the person who leaked the code to the public. The intern was simply a member of the jailbreaking community. The former employee took a great deal more code than what they revealed in 2018, but no one released the rest of the breach to the public.
Apple downplayed the seriousness of the leak but immediately served GitHub, where the leaker hosted the code, with a takedown notice.
In May 2021, Mediatonic updated their popular Fall Guys game on Steam. The online update included a folder that was aptly named “BackUpThisFolder_ButDontShipItWithYourGame.” It included source code for the game. Mediatonic quickly caught the mistake and removed the files from the update, but there was a good chance someone had already grabbed the files.
The folder contained dynamically generated C++ code that helped Fall Guys run well on multiple platforms. The game’s cross-platform support had been critically acclaimed, and the leak risked compromising a competitive advantage.
In July of last year, a cyberattack occurred at Electronic Arts (EA) in which a group of hackers stole 780 GB of data, including the source code for "FIFA 21" and the Frostbite engine, which powers titles like "The Sims" and "Battlefield." Criminals began leaking information on the internet in an attempt to force the company to pay a ransom.
In a message left on Reddit and other forums, the hackers explained that they sent the developer an email detailing their intentions. After no response, the group decided to release a file with about 1.3 GB of stolen internal data, which includes references to the technologies used by the company, as well as information about games.
What Is the Motivation for a Source Code Leak?
There are many reasons source code leaks happen.
- Financial gain: Some attackers steal code so they can sell it or burnish their reputations as hackers.
- Corporate damage: Stealing and leaking a company’s code is an effective way to damage a company’s reputation and hurt its ability to make money.
- Carelessness: Some leaks, like the examples from Mercedes and Apple, are the result of poor security practices or simply not understanding the potential impact of releasing source code.
Any leak can damage a business's reputation, though. Users lose confidence in its products and services. Leaks may also help attackers create malware that exploits code and harms users, so their lack of trust is not unwarranted.
Source code leaks are a serious security problem. Even though they’re not as common as phishing, or other account breaches, they can have an even more serious impact on your business.
Your development and DevOps need to treat code as seriously as they do financial and client data. Your code is an important trade secret, and if it’s leaked, the impact can range from public embarrassment to bankruptcy.