Mercedes-Benz source code was exposed by an easier to miss security flaw
A GitHub token was found in an open-source repository, granting access to a treasure trove of Mercedes-Benz data.
Mercedes-Benz had a glaring vulnerability in an open-source repository that exposed its source code, a treasure trove of valuable, sensitive information, and put the company at risk of regulatory fines. Whether or not anyone managed to exploit the flaw before it was found and plugged, remains to be seen.
Cybersecurity researchers from RedHunt Labs found a GitHub repository belonging to a Mercedes employee in late September 2023.
This repository contained a GitHub token which granted access to the company’s internal GitHub Enterprise Server.
Human error
“The GitHub token gave ‘unrestricted’ and ‘unmonitored’ access to the entire source code hosted at the Internal GitHub Enterprise Server,” RedHunt Labs’ report claims. “The incident laid bare sensitive repositories housing a wealth of intellectual property, and the compromised information included database connection strings, cloud access keys, blueprints, design documents, SSO passwords, API keys, and other critical internal information.”
The researchers suggest that this was a major mishap that could cost the company dearly. By reverse-engineering the source code, other automakers can uncover the secrets of proprietary tech. Hackers can use the same thing to find flaws, both in the vehicles and in the company itself which, consequently, could lead to cyberattacks such as ransomware.
Finally, if the repositories held sensitive customer data, data protection watchdogs will have their field day, as well.
However, in a statement given to BleepingComputer, Mercedes says that won’t be the case.
“We can confirm that source code containing an internal access token was published on a public GitHub repository by human error,” the company said. “This token gave access to a certain number of repositories, but not to the entire source code hosted at the Internal GitHub Enterprise Server. We have revoked the respective token and removed the public repository immediately. Customer data was not affected as our current analysis shows.”
More from TechRadar Pro
This devious new ransomware encrypts itself to avoid your antivirusHere’s a list of the best firewalls around todayThese are the best endpoint security tools right now