Mercedes-Benz unintentionally leaked a trove of internal data by leaving an obscure key online that gave "unrestricted access" to the company's source code, according to the security research team that unearthed it.
TechCrunch was notified of the exposure by RedHunt Labs' co-founder and chief technology officer Shubham Mittal, who also requested help in notifying the automaker. The London-based cybersecurity firm claimed that during a standard internet scan in January, it found the authentication token of a Mercedes employee in a public GitHub project.
According to Mittal, this token, which is a substitute to using a password for authentication on GitHub, could allow anyone complete access to Mercedes's GitHub Enterprise Server, allowing them to acquire the company's proprietary source code repositories.
“The GitHub token gave ‘unrestricted’ and ‘unmonitored’ access to the entire source code hosted at the internal GitHub Enterprise Server,” Mittal explained. “The repositories include a large amount of intellectual property… connection strings, cloud access keys, blueprints, design documents, [single sign-on] passwords, API Keys, and other critical internal information.”
Mittal provided TechCrunch evidence that Mercedes source code, a Postgres database, and keys for Microsoft Azure and Amazon Web Services (AWS) were all there in the exposed repository. If any customer data was present in the repositories is unknown.
Mercedes was informed of the security flaw by TechCrunch on Monday of last week. Mercedes official Katja Liesenfeld stated on Wednesday that the company has revoked the respective API token and removed the public repository immediately.
“We can confirm that internal source code was published on a public GitHub repository by human error. The security of our organisation, products, and services is one of our top priorities. We will continue to analyse this case according to our normal processes. Depending on this, we implement remedial measures,” Liesenfeld added.
Mercedes declined to comment on whether it was aware of any unauthorised access by third parties to the leaked data or whether it possesses the technological know-how, such as access logs, to ascertain whether unauthorised access to its data repositories occurred. The representative gave vague security justifications.
The personal information of Hyundai Motor India customers who had their vehicles serviced at Hyundai-owned stations throughout India, including names, mailing addresses, email addresses, and phone numbers, was exposed due to a bug that was fixed by the company's India subsidiary, as TechCrunch exclusively reported earlier this month.
