Mismanaged GitHub Token Unveils Mercedes-Benz's Confidential Source Code

In a recent cybersecurity oversight, an improperly managed GitHub token inadvertently granted open access to Mercedes-Benz's confidential GitHub Enterprise Service, risking exposure of their proprietary source code.

Renowned for its legacy in producing high-end vehicles, Mercedes-Benz stands as a beacon in the automotive industry. Their range encompasses luxury cars, buses, and trucks, each emblematic of the company's commitment to quality and innovation.

In the realm of modern automotive manufacturing, Mercedes-Benz is a frontrunner in integrating sophisticated software across its lineup. This includes systems for vehicle safety and control, advanced infotainment, autonomous driving capabilities, diagnostic tools, network connectivity, and efficient power management in electric vehicles (EVs).

On September 29, 2023, an alarming discovery was made by RedHunt Labs' researchers. They found that a public repository linked to a Mercedes-Benz employee contained a GitHub token. This token, unfortunately, provided unrestricted access to the company's internal GitHub Enterprise Server.

According to the detailed report by RedHunt Labs, this token allowed unfettered and unmonitored entry into Mercedes-Benz's GitHub Enterprise Server. This exposed a trove of sensitive data, including database credentials, cloud access keys, vehicle design plans, proprietary documents, single sign-on (SSO) passwords, API keys, and other crucial internal data.

The implications of such exposure are significant, as RedHunt Labs pointed out. The leakage of source code could enable competitors to reverse-engineer Mercedes-Benz's unique technology or allow cybercriminals to find vulnerabilities in the company's vehicle systems.

Moreover, the leak of API keys posed risks of unauthorized data access, potential service disruptions, and exploitation of the company's digital infrastructure for malicious activities.

In their report, RedHunt Labs also raised concerns about potential legal issues, such as breaches of GDPR, especially if the exposed repositories included customer data. However, the exact nature of the leaked files wasn't confirmed by the researchers.s

Upon discovering the breach, RedHunt Labs, with assistance from TechCrunch, notified Mercedes-Benz about the token compromise on January 22, 2024. The company swiftly responded by revoking the token on January 24, thereby cutting off any unauthorized access.

This incident bears similarity to a past security lapse at Toyota in October 2022, where an exposed GitHub key left customer data publicly accessible for an extended period.

These incidents underscore the importance of diligent cybersecurity practices, particularly the necessity of monitoring GitHub Enterprise instances and maintaining audit logs, which can provide crucial data like IP addresses in the event of a breach

Post a Comment