Summary
Recently, researchers at Redhunt Labs discovered that Mercedes-Benz inadvertently left an accessible private key, exposing internal data, including the company's source. It's unclear whether the data breach exposed customer data.
Redhunt Labs shared its findings with TechCrunch and notified the automaker with the help of **. The security firm discovered that authentication tokens belonging to Mercedes employees were exposed in a public GitHub repository. The discovery came during a routine internet scan in January.
The disclosed token has the potential to provide unrestricted access to Mercedes GitHub Enterprise Server, allowing anyone to retrieve the company's private source** repository.
Shubham Mittal, co-founder and CTO of Redhunt Labs, told TechCrunch, "GitHub tokens have 'unrestricted' and 'unmonitored' access to the entire source hosted on the internal GitHub Enterprise Server**. These repositories contain a large number of intellectual property ......Connection strings, cloud access keys, blueprints, design documents, [single sign-on] passwords, API keys, and other key internal information. ”
Mittal provided evidence to TechCrunch to verify the existence of Microsoft Azure and Amazon Web Services (AWS) credentials, Postgres databases, and Mercedes sources**.
Exposed repositories include Microsoft Azure and Amazon Web Services (AWS) credentials, Postgres databases, and Mercedes sources**.
Once Mercedes became aware of the data breach, it revoked the exposed tokens and deleted the public repository.
TechCrunch disclosed the security issue to Mercedes on Monday. On Wednesday, Mercedes spokesperson Katja Liesenfeld confirmed that the company "immediately revoked the corresponding API tokens and removed the public repository."
Mercedes spokesperson Katja Liesenfeld told TechCrunch: "We can confirm that the internal source ** was posted on a public GitHub repository due to human error. "The security of our organization, products and services is one of our top priorities. We will continue to analyze the case as normal. We will take remedial action accordingly. ”
An investigation into the leak revealed that it has been online since late September 2023**. However, it is unclear whether other players have unauthorized access to the automaker's data.
Mercedes declined to disclose whether it was aware that any third party had access to the exposed data, or whether the company had the technical capabilities (such as access logs) to determine whether there had been any inappropriate access to its data repository. He cited unspecified security reasons.