Table of Contents
The Yandex company has published the first results of an internal corporate investigation into the leakage of fragments of the program code of some services. Representatives of the IT giant assure that there is no threat to the safety of users and the performance of services, but admitted that the code contained data from taxi drivers and racist statements, and “Alice” was sometimes turned on without the permission of users.
Outdated repository version
Representatives of Yandex shared the first results of an investigation into the leakage of the program code of some of the company’s services to the public. The message was published on the official page of “Yandex”.
Information security specialists admitted that the published fragments were taken from an internal repository with which developers work with the code. However, the contents of the archive that got on the Web are outdated and differ from the current version, the company assures.
In addition, parts of the code contained test algorithms that were used only inside Yandex to verify the correct operation of services.
The leak of the code became the reason for a large-scale internal corporate investigation
“Primary analysis showed that the published fragments do not pose any threat to the security of our users or the performance of services,” the release notes.
The company said that in the near future they will create a new service that will be responsible for the compliance of the code with corporate principles and policies. Data from the repository that is not related to the algorithms and settings of the services is already transferred – this way they will be better protected.
Large-scale investigation
The incident became the reason for auditing the entire contents of the repository. The company’s specialists discovered facts of violations of policies, principles and rules of their own corporate ethics.
So, the code contained the contact details of the drivers of the Yandex.taxi service , including their phone numbers and driver’s licenses. Information was transferred from one taxi company to another. One of the algorithms turned on the microphone of a mobile gadget for several seconds without notifying the user; it was written to combat false positives to improve the quality of ” Alice’s ” activation.
In the Yandex.Lavka service , the developers discovered the possibility of setting product recommendations without the “advertising” mark. Some parts of the code, the information security specialists admitted, contained words that did not affect the operation of the services, but were offensive to people of different races and nationalities. In this regard, we note that after the leakage in Runet , a screenshot of a fragment of code with the word Nikger, which, although in a slightly different spelling, is considered offensive to the US blacks (if necessary, appears in the press in the form of a “n-word”).
“One of the principles of Yandex says: our work is based on the principles of honesty and transparency,” the release notes. – We proceed from the fact that any internal dialogue, document or source code can become public under certain circumstances. And if this happens, we should not be ashamed. Now we are very ashamed, and we apologize to our users and partners.”
Causes of the leak
Representatives of “Yandex” said that the leak was related to the developers’ attempts to manually improve the service or fix the error. This was practiced due to the fact that Yandex for many years professed the Zero Bug Policy approach or zero tolerance for bugs . As a result, the errors were fixed with the help of temporary solutions. Now the company plans to rethink its methods.
RBC , citing an unofficial representative of the company, reports that the source of the leak was a Yandex employee, and the hacker attack had nothing to do with it.
Technoethics and morality
Representatives of the company wondered how their solution meets the norms of universal morality and the company’s own principles, and how understandable it is to users and partners.
“It became obvious that the company’s management paid little attention to these issues,” Yandex admitted, adding that they would soon publish the standards and principles of technoethics on their website.
As an example of following technostandards, the company cited Yandex’s decision in 2020 not to allow the browser to find people from photos so as not to violate their personal security. Also, Yandex did not develop a project to assess potential bank customers who want to get a loan.
History of “plum”
Recall that an archive with 45 GB of source codes and related data from Yandex services and programs appeared on the Internet on January 25, 2023. All the leaked files were dated February 24, 2022.
The codes for most of the company’s services – mail, music, cloud , as well as a taxi aggregator – were in the public domain. In a conversation with CNews, information security specialists noted that it will now be much easier for attackers to find vulnerabilities in Yandex services, and in the future, large leaks of user data can be expected.
In an interview with uSiic.co, head of the Internet Investigation Company , added that someone will now be able to “repeat the know-how of Yandex development, some tricks and nuances.”
“It is clear that many will now be examining the leaked code to understand how the company monitors its users and what data it collects. This is not the first leak of this kind, but, of course, it will be hushed up. The company, as always, will say that all this is useless junk,” Bederov said.