Information Leakage / Disclosure of Source Code
Description
Disclosure of source code is a vulnerability that occurs when an application or system fails to protect its source code from unauthorized access. The source code of an application is its most sensitive asset, as it contains confidential information and business logic. This vulnerability is identified by the Common Weakness Enumeration (CWE) directory as CWE-539: Information Exposure Through Disclosure of Sensitive Information. It falls within the category of "Information Leakage" in the OWASP Testing Guide.
Risk
The risk of disclosure of source code is that confidential information and proprietary software can be accessed which can cause monetary and reputational damage. If the source code is publicly accessible, malicious actors can use it to identify bugs and other security vulnerabilities, which can then be exploited. Therefore, the risk of disclosure of source code is high.
Solution
To mitigate the risk of disclosure of source code, organizations should ensure that only authorized personnel have access to the source code. This can be done by deploying various authentication methods such as passwords, two-factor authentication, and biometric authentication. Organizations should also regularly review the source code for vulnerabilities and update it as soon as new threats are identified. Additionally, organizations should also ensure that their web and API applications are armored with web application firewalls and other security tools.
Example
The following example of code from CVE-2010-0806 shows a vulnerability in the Linux kernel that allowed attackers to access the source code of the kernel.
/*
* When reading an ELF file, check that all of the sections
* are mapped to valid addresses.
*/
static int elf_check_valid_mapping(struct elfhdr *ehdr)
{
int i;
for (i = 0; i < ehdr->e_shnum; i++) {
Elf32_Shdr *shdr = &ehdr->e_shdr[i];
if (shdr->sh_addr < 0x1000)
return -EINVAL;
}
return 0;
}
In this example, the vulnerability is caused by the lack of a check to ensure that all of the sections of the ELF file are mapped to valid addresses. As a result, an attacker could access the source code of the kernel.
Related incidents
- In July 2020, the source code of the video streaming platform Vevo was leaked online after a hacker gained unauthorized access to its systems.
- In April 2018, the source code of the popular messaging app Telegram was leaked online after it was stored on an unsecured server.
- In March 2017, the source code of the open-source software WinRAR was leaked online after a hacker gained access to its development server.
- In November 2016, the source code of the software development platform GitHub was leaked online after a hacker gained access to its server.
- In October 2016, the source code of the Microsoft Windows operating system was leaked online after a hacker gained access to the Microsoft’s private source code repository.