Software Security

“Source Code Leak” is Effectively Meaningless to Endpoint Security

There are two news stories today. Unfortunately, some people have difficulty uncoupling the two.

  1. The Team Fortress 2 Source Code has been leaked.
  2. Hackers discovered a Remote Code Execution exploit.

The second point is something to be concerned about. RCE is game over. The existence of an unpatched RCE vulnerability, with public exploits, is sufficient reason to uninstall the game and wait for a fix to be released. Good on everyone for reporting that. You’re being responsible. (If it’s real, that is! See update at the bottom.)

The first point might explain why the second happened, which is fine for the sake of narrative… but by itself, a source code leak is a non-issue that nobody in their right mind should worry about from a security perspective.

Anyone who believes they’re less secure because the source code is public is either uninformed or misinformed.

I will explain.

Soatok Explains it All
Professor Dreamseeker is in the house. Twitch Emote by Swizz.

Why Source Code Leaks Don’t Matter for Security

You should know that, throughout my time online as a furry, I have been awarded thousand dollar bounties through public bounty programs.

How did you earn those bounties?
By finding zero-day vulnerabilities in those companies’ software.

But only some of those were for open source software projects. CreditKarma definitely does not share their Android app’s source code with security researchers.

How did you do it?
I simply reverse engineered their apps using off-the-shelf tools, and studied the decompiled source code.

Why are you making that sound trivial?
Because it is trivial!

If you don’t believe me, choose a random game from your Steam library.

Right click > Properties. Click on the Local Files tab, then click “Browse Local Files”. Now search for a binary.

Binaries containing No Man's Sky.
Me, following these steps to locate the No Man’s Sky binary.

If your game is a typical C/C++ project, you’ll next want to install Ghidra.

Other platforms and their respective tools:

  • Java games (.jar files): Luyten
  • .NET games: ILSpy
  • Android apps: dex2jar then Luyten (as per Java)

If you see a bunch of HTML and JS files, you can literally use to make the code readable.

Open your target binary in the appropriate reverse engineering software, and you can decompile the binary into C/C++ code.

Decompiled code from No Man’s Sky’s NMS.exe file on Windows.

Congratulations! If you’ve made it this far, you’re neck-and-neck with any attacker who has a leaked copy of the source code.

Every Information Security Expert Knows This

Almost literally everyone working in infosec knows that keeping a product’s source code a secret doesn’t actually improve the security of the product.

There’s a derisive term for this belief: Security Through Obscurity.

The only people whose job will be made more difficult with the source code leak are lawyers dealing with Intellectual Property (IP) disputes.

In Conclusion

Remote Code Execution is bad.

The Source Code being public? Yawn.

Pictured: Soatok trying to figure out why people are worried about source code disclosure when he publishes everything publicly on Github anyway (2020). Art by Riley.

Update: Shortly after I made this post, I was made aware of another news story worthy of everyone’s attention far more than FUD about source code leaks.

Well damn if that doesn’t capture my interest.

Now this is the kind of story that makes Twitter worthwhile!

Is the RCE Exploit Even Real?

Update 2: I’ve heard a lot of reports that the alleged RCE exploit is fake. I haven’t taken the time to look at Team Fortress 2 or CS:GO in any meaningful way, but the CS:GO team did have this to say about the leaks:

Fake news and old news are strange (yet strangely common) bedfellows.

By Soatok

Security engineer with a fursona. Ask me about dholes or Diffie-Hellman!

3 replies on ““Source Code Leak” is Effectively Meaningless to Endpoint Security”

Bark My Way

This site uses Akismet to reduce spam. Learn how your comment data is processed.