Maker of SonarQube defends DevOps product's security after source code leaks blamed on bad configurations

'Most companies' want to make code 'completely transparent' SonarSource claims – but not outside the firewall

SonarQube, an open-source product by SonarSource that claims to be "your teammate for Code Quality and Security", was the focus of adverse publicity recently when a computer consultant chose to publish proprietary source code from well-known companies on the internet – alleging it was largely obtained via badly configured SonarQube installations.

The code was leaked by Swiss computer consultant Tillie Kottmann, who boasts "probably leaking your code right now" on their Twitter profile, which also features a pinned tweet inviting anyone with "access to any confidential info, documents, binaries or source code, which you think should be made available to the public" to contact Kottmann "so we can discuss safely releasing it".

Kottmann published the code on a self-hosted GitLab repository and via a Telegram messaging channel, including source from Adobe, Microsoft, Lenovo, Fintech company iLendx, Gate Gourmet, Motorola, Qualcommm, Mediatek and more – though The Register understands much of it is of little interest.

The Microsoft folder was said to contain not the building blocks of Windows or SQL Server, but something ancient called Playready Trustedapp (for Amlogic platform), and we were told the Adobe folder included code for Behance, an image portfolio management product.

The incident did spark some anxiety, however, partly because Kottmann claimed they found instances of hardcoded credentials, though these were "generally stripped in the releases on a best effort basis". Kottmann apparently did not follow normal security best practice by informing companies of the vulnerability before posting the code, but did take down code on request.

Why the leaks? Was it to encourage companies not to be sloppy about securing their code? "That's definitely part of it," Kottmann told us, "but I'm also just very curious myself and so are many others. I find getting an insight into how (often badly unfortunately) proprietary software is built. And I guess at least some of my releases probably also have a hint of political motivation to them, though so far this has not yet led to abolishing capitalism and has mostly just made companies improve their security."

Kottmann claimed that much of the code was found in poorly secured repositories, many of which were leaked via SonarQube. Kottmann told The Register that while SonarQube does have built-in authentication, not everyone bothers with configuring it and that "it's just easy to misconfigure and I think a lot of companies don't realize that people can just download source code from there if they don't have any auth."

He said the insecure repositories are easy to find via internet searches. SonarQube is used by between 150,000 and 200,000 companies, SonarSource told us.

SonarSource CEO Olivier Gaudin has posted about the leaks, emphasising that access was because of "the way these specific SonarQube instances were configured, not because of a vulnerability in the SonarQube product itself". He made the point that SonarQube "is designed to sit behind the firewall", but the affected instances "are the ones that are accessible on the web and have not done the extra configuration to prevent unauthenticated access". SonarSource therefore implied that there was nothing to fix, though it will review "product improvements to better guide our users".

The argument that applications behind the firewall do not need securing is controversial. Simon Maple from open-source security specialist Snyk told us recently that "hackers love those developers" because "as soon as they do get past that firewall, it's party time".

Gaudin told us that the SonarQube is not as easy to get past as Kottmann implied. "What Tillie has done is not completely straightforward," he said.

He added that giving relatively free access to source code inside the firewall is often in tune with policy. "In most companies, when they use SonarQube, they want to make code completely transparent. People have read-only access to all source code," though this is "not true in all companies". That's why the default settings let users view the code anonymously. "This becomes a problem when you put it outside the firewall," he said.

Will the default be changed? "We have discussed this," Gaudin told us. "It's a trade-off between adoption and security. We may end up with a demo mode and a production mode, where the production default is private, and the demo mode is public because you want zero friction for trying the product."

The value of source code to hackers is variable. In many cases it's not worth much since it is still protected by copyright. An analogy would be that owning a book does not give you the right to profit by republishing it. But access to source code could still help criminals find ways to compromise commercial software, or to bypass protection against unauthorised use. Gaudin said: "There is an industry expectation that you should be able to protect your source code."

There is a long-standing problem with secrets such as database logins and passwords hardcoded in source code. Many developers, it seems, still struggle with this. Running automated tests is part of the DevOps chain, for example, and sticking credentials in the source code is an easy way to get these working.

For every person like Kottmann who is finding and leaking source code, there may be others who are more discreet and less well-intentioned.

Adobe told us: "We are aware of the site and worked with the respective parties to have the content removed. We have no evidence to suggest that any Adobe systems or customers have been compromised due to this issue." ®

Similar topics

Other stories you might like

  • Stolen university credentials up for sale by Russian crooks, FBI warns
    Forget dark-web souks, thousands of these are already being traded on public bazaars

    Russian crooks are selling network credentials and virtual private network access for a "multitude" of US universities and colleges on criminal marketplaces, according to the FBI.

    According to a warning issued on Thursday, these stolen credentials sell for thousands of dollars on both dark web and public internet forums, and could lead to subsequent cyberattacks against individual employees or the schools themselves.

    "The exposure of usernames and passwords can lead to brute force credential stuffing computer network attacks, whereby attackers attempt logins across various internet sites or exploit them for subsequent cyber attacks as criminal actors take advantage of users recycling the same credentials across multiple accounts, internet sites, and services," the Feds' alert [PDF] said.

    Continue reading
  • Big Tech loves talking up privacy – while trying to kill privacy legislation
    Study claims Amazon, Apple, Google, Meta, Microsoft work to derail data rules

    Amazon, Apple, Google, Meta, and Microsoft often support privacy in public statements, but behind the scenes they've been working through some common organizations to weaken or kill privacy legislation in US states.

    That's according to a report this week from news non-profit The Markup, which said the corporations hire lobbyists from the same few groups and law firms to defang or drown state privacy bills.

    The report examined 31 states when state legislatures were considering privacy legislation and identified 445 lobbyists and lobbying firms working on behalf of Amazon, Apple, Google, Meta, and Microsoft, along with industry groups like TechNet and the State Privacy and Security Coalition.

    Continue reading
  • SEC probes Musk for not properly disclosing Twitter stake
    Meanwhile, social network's board rejects resignation of one its directors

    America's financial watchdog is investigating whether Elon Musk adequately disclosed his purchase of Twitter shares last month, just as his bid to take over the social media company hangs in the balance. 

    A letter [PDF] from the SEC addressed to the tech billionaire said he "[did] not appear" to have filed the proper form detailing his 9.2 percent stake in Twitter "required 10 days from the date of acquisition," and asked him to provide more information. Musk's shares made him one of Twitter's largest shareholders. The letter is dated April 4, and was shared this week by the regulator.

    Musk quickly moved to try and buy the whole company outright in a deal initially worth over $44 billion. Musk sold a chunk of his shares in Tesla worth $8.4 billion and bagged another $7.14 billion from investors to help finance the $21 billion he promised to put forward for the deal. The remaining $25.5 billion bill was secured via debt financing by Morgan Stanley, Bank of America, Barclays, and others. But the takeover is not going smoothly.

    Continue reading

Biting the hand that feeds IT © 1998–2022