January 31-Mercedes-Benz inadvertently laid bare a substantial cache of internal data, including source code and critical information, after a private key was left exposed online. The discovery was made by cybersecurity firm RedHunt Labs, which brought the issue to light after stumbling upon an authentication token in a public GitHub repository linked to a Mercedes employee.
Shubham Mittal, CTO and co-founder of RedHunt Labs, revealed that the GitHub token, which serves as an alternative to conventional passwords for GitHub authentication, could potentially grant unrestricted access to Mercedes’s GitHub Enterprise Server. This unrestricted access allowed anyone to download the car manufacturer’s private source code repositories, exposing a wealth of intellectual property, including connection strings, cloud access keys, blueprints, design documents, single sign-on passwords, and API keys.
The compromised repositories reportedly contained keys for Microsoft Azure and Amazon Web Services (AWS), a Postgres database, and the proprietary source code of Mercedes. While it remains uncertain whether customer data was present in the repositories, the exposed information poses a significant security risk.
RedHunt Labs promptly alerted TechCrunch to the situation, and Mercedes has since taken action to rectify the issue. A spokesperson for Mercedes, Katja Liesenfeld, confirmed that the company had revoked the API token and removed the public repository, emphasizing the prioritization of security. Liesenfeld stated, “The security of our organization, products, and services is one of our top priorities,” and reassured that the case would undergo further analysis, with potential remedial measures to follow.
The GitHub exposure occurred due to human error, underscoring the challenges organizations face in safeguarding sensitive data in an era of intricate software development workflows. Mercedes has not disclosed whether any third parties accessed the exposed data, raising concerns about the potential extent of the security breach. The company declined to comment on its technical capabilities to ascertain improper access or share access logs, citing security reasons.
This incident serves as a reminder of the critical importance of robust cybersecurity measures in protecting proprietary information, particularly as businesses increasingly rely on collaborative and dynamic software development practices. As Mercedes evaluates the impact of this security lapse, the broader industry is prompted to revisit and reinforce security protocols to prevent similar vulnerabilities.
+ There are no comments
Add yours