Mercedes-Benz accidentally exposed a trove of internal data after it left a private key online that provided “unrestricted access” to the company’s source code, according to the security research firm that discovered it.
Shubham Mittal, co-founder and chief technology officer of RedHunt Labs, alerted TechCrunch to the report and asked for help exposing the automaker. The London-based cybersecurity firm said it discovered a Mercedes employee’s authentication token in a public GitHub repository during a routine web scan in January.
According to Mittal, this token—an alternative to using a password to authenticate to GitHub—could give anyone full access to Mercedes’ GitHub Enterprise Server, thereby allowing the company’s private source code repositories to be downloaded.
“The GitHub token provided ‘unrestricted’ and ‘untracked’ access to the entire source code hosted on the internal GitHub Enterprise server,” Mittal explained in a report shared by TechCrunch. “The repositories contain a large amount of intellectual property… connection strings, cloud access keys, blueprints, design documents, [single sign-on] passwords, API keys and other critical internal information.”
Mittal provided TechCrunch with evidence that the exposed repositories contained Microsoft Azure and Amazon Web Services (AWS) keys, a Postgres database, and Mercedes’ source code. It is not known if any customer data was contained in the repositories.
TechCrunch revealed the security issue at Mercedes on Monday. On Wednesday, Mercedes spokeswoman Katja Liesenfeld confirmed that the company “revoked the corresponding API token and immediately removed it from the public repository.”
“We can confirm that the internal source code was published to a public GitHub repository by human error,” Liesenfeld said in a statement to TechCrunch. “The security of our organization, products and services is one of our top priorities.”
“We will continue to analyze this case according to our normal procedures. Accordingly, we implement corrective measures,” Liesenfeld added.
It is not known if anyone other than Mittal discovered the exposed key, which was published in late September 2023.
Mercedes declined to say whether it is aware of any third-party access to the exposed data, or whether the company has the technical capability, such as access logs, to determine whether its data repositories were improperly accessed. The spokesman cited unspecified security reasons.
Last week, TechCrunch exclusively reported that Hyundai’s India subsidiary fixed a bug that exposed the personal information of its customers, including the names, postal addresses, email addresses and phone numbers of Hyundai Motor India customers. who had their vehicles repaired at Hyundai stations. India.
