The source codes of Yandex services have been made publicly available. Information about this appeared on the Habr portal on January 26, 2023. It is not specified what specific services are in question, but they can be identified by the names of the largest archives: frontend (18.26 GB), classifieds (4.67 GB), market (4 GB), taxi (3.3 GB), portal (2.35 GB). “The total volume of archives (in compressed form) is more than 44.7 GB,” reports Habré.
The fact of the leak to Vedomosti was confirmed by a representative of Yandex, but, according to him, these codes are not relevant. “Yandex security service has found code fragments from an internal repository in the public domain. However, their content differs from the current version of the repository, which is used in Yandex services,” he said.
Why Yandex needs a repository
A repository is a tool for storing and working with code. This approach, as a rule, is used by most IT companies in internal processes. Repositories are not designed to store users’ personal data, a Yandex representative assures.
The cause of the leak could be the actions of an employee, a source close to Yandex told Vedomosti. The press service did not comment on this information. “We are conducting an internal investigation into the reasons for getting fragments of the source code into the public domain, but we do not see any threat to our users’ data or platform performance,” a representative of the IT company emphasized.
But, according to Daria Zubritskaya, director of marketing and communications for the Raketa digital platform, the leak is more serious than Yandex tries to imagine, and affected about 79 different services. Among them there are public services, such as “Search engine”, “Yandex.Maps”, “Yandex.Taxi”, as well as auxiliary and service services (for example, “Yandex.Metrika”, API, captcha), she lists. According to Mikhail Chukhlomin, business development manager for Guardant (Aktiv company), the scale is even larger and concerns about a hundred Yandex services and products.
The source codes can contain, for example, Alice’s learning algorithms or scripts for tracking all user subscriptions and interacting with them, Anton Yakimov, deputy general director of T1 Group for technological development, warns. The most dangerous thing is if they contain data about ensuring the internal safety of products, he says. According to Zubritskaya, the source codes definitely contain algorithms for the program, and it can also contain logins and passwords from service accounts.
But the codes posted in open access will not allow launching “own” Yandex.Taxi or Yandex.Maps, Chukhlomin reassures. “These are very large, complex projects with a lot of dependencies that cannot be assembled outside of the Yandex infrastructure,” he believes. Indeed, deploying your service based on this code will not work, Zubritskaya confirms.
Given the amount of data posted, it is difficult to assume that the leak could be the result of a hacker attack, says Daniil Chernov, director of the Solar appscreener center at RTK-Solar. With a high degree of probability, the leak was indeed provoked by the actions of an employee, where the date “02/24/2022” (all files are marked with this date) was the motive. The codes are not the latest, but quite relevant, so most of them can still be used, says Vladimir Ulyanov, head of the Zecuiron analytical center. At the same time, the leak will not affect the performance of services, he said.
The leak does not directly affect user data, but studying the source codes can help attackers find clues, Ulyanov continues. Such leaks can lead to the exploitation of unknown vulnerabilities, a Vedomosti source in one of the cybersecurity companies confirms. “For example, attackers, having received this code, can find weaknesses, not alert them (not report them. – Vedomosti) to the company affected by the leak, but start writing an exploit (program code or a set of instructions that allows you to use the vulnerability to attack ),” he says. Thus, they can get access to user information or get inside the company, encrypt data, leak data to the public, distribute malware, the interlocutor warns.
Source codes can be used by hackers to clone Yandex services to develop an attack vector, says Roman Karpov, head of the information security committee of the National Soft ARPP. This leak allows attackers to look for vulnerabilities in Yandex products in order to further gain access to user data or manipulate algorithms in services, Chukhlomin emphasizes. “Such leaks are a kind of “doping” for attackers who, by analyzing data, gain access to information about algorithms, specific technical implementations of services,” agrees Cyberprotect information security expert Evgeny Rodygin.
In most companies that care about the security of their intellectual property, the source code written by the company’s employees is protected as a trade secret, says Anna Sarbukova, leading legal adviser at EBR law firm. Most likely, “Yandex” is also concerned about this type of protection. Therefore, if the attacker is found inside the company, he may face both disciplinary and administrative or criminal punishment, the lawyer explains:
The size of the source code leak does not affect the size of the employee’s responsibility, but only the consequences are important, says Sablukova. If, as a result of the source code leak, the Yandex search engine and/or any services stop working, the employee may be held administratively or even criminally liable. If the leaks did not provoke any significant consequences, then there is no corpus delicti in the employee’s actions, so only disciplinary measures (reprimand, dismissal, etc.) can be applied to him, she explains.
If an organization has a person responsible for information security and investigation of incidents, then as a result of a leak, there is also a high probability of bringing such a person to disciplinary responsibility, adds Irina Abdeeva, member of the commission for legal support of the digital economy of the Moscow branch of the Russian Bar Association, Moscow Digital School expert. In addition, in the investigation of the leak, the motivation of the employee (the incident occurred intentionally or through negligence) and the method of the leak (for example, negligent attitude to the performance of duties or intentional hacking) may matter, says Rustam Kurmaev and partners” Yaroslav Shitsle.
In general, the event can cause both reputational and commercial damage, says a Vedomosti source in one of the cybersecurity companies. After an internal investigation, Yandex will most likely be concerned about reviewing current approaches to ensuring security and organizational structure, as well as changing the architecture and development processes, he concludes.