The security research group that found it said Mercedes-Benz mistakenly exposed a lot of internal data by placing a secret key online that provided “unrestricted access” to its source code.
RedHunt Labs co-founder and CTO Shubham Mittal informed Eltrys of the exposure and requested assistance in exposing the automobile maker. The London cybersecurity firm found a Mercedes employee’s login token in a public GitHub project during a January internet sweep.
Mittal claims that this token, an alternative to GitHub passwords, might allow anybody to access Mercedes’s GitHub Enterprise Server and obtain its secret source code repositories.
“The GitHub token gave ‘unrestricted’ and ‘unmonitored’ access to the entire source code hosted at the internal GitHub Enterprise Server,” Mittal told Eltrys. The repositories include valuable information such as connection strings, cloud access keys, blueprints, design papers, single sign-on passwords, API credentials, and more.
Mittal showed that the accessible repositories contained Microsoft Azure and AWS keys, Postgres, and Mercedes source code. It is unknown if repositories had client data.
Mercedes learned about the security problem via email on Monday. Mercedes spokesman Katja Liesenfeld said the company “revoked the respective API token and removed the public repository immediately” on Wednesday.
“We can confirm that internal source code was published on a public GitHub repository by human error,” Liesenfeld told Eltrys. The security of our company, goods, and services is a major priority.”
Our standard procedures will be followed to examine this matter. We take corrective action based on this, Liesenfeld said.
In late September 2023, Mittal publicized the exposed key. But who else found it?
Mercedes did not indicate whether it is aware of any third-party access to the accessible data or whether it has access logs to establish if its data repositories were improperly accessed. A representative cited vague security considerations.
TechnologyCrunch exclusively reported last week that Hyundai Motor India fixed a bug that exposed its customers’ names, mailing addresses, email addresses, and phone numbers at Hyundai-owned stations across India.
