Home > News > Industry News > How a mistakenly published pas.....
Browse Categories
Android7.1 Car DVD GPS(83)
Large screen Android Car DVD GPS(96)
Pure Android 7.1 Car DVD Gps(112)
Car MP5 Player(20)
Wince Car DVD GPS(274)
Car Rearview Camera(52)
Universal Car DVD(19)
Electric Tailgate Lift(29)
TV Box(6)
DVB-T&ISDB-T(11)
Rotating car DVD(2)
F10 F30 Subwoofer Loudspeaker Horn(5)
car radio frame(13)
Versatile Navigation(1)
ORGINAL DASH BOARD FOR BMW(1)
Android car dvd gps for Audi(2)
Android car dvd gps for Skoda(2)
Android car dvd gps for VW and Seat(2)
Android for Mercedes Benz(2)
Android for BMW(3)
Tesla Style(4)
Car stopwatch(2)
Android 12 Car DVD GPS(4)
Steering Wheel(9)
Fidget Spinner(6)
Headlight(19)
Headrest DVD Player(16)
Car DVR(15)
Contact us
Dorothy: General Manager
wechat:13684961929
Skype: dorothy3629
Email:dorothy@cardvd-wholesale.com
QQ email : 28239515@qq.com
------------------------------
Contact Now

News

How a mistakenly published password exposed Mercedes-Benz source code

Plus 'cloud access keys, blueprints, design documents, passwords, API keys ...'


Mercedes-Benz accidentally exposed a trove of internal data after leaving a private key online that gave “unrestricted access” to the company’s source code, according to the security research firm that discovered it.

Shubham Mittal, co-founder and chief technology officer of RedHunt Labs, alerted TechCrunch to the exposure and asked for help in disclosing to the car maker. The London-based cybersecurity company said it discovered a Mercedes employee’s authentication token in a public GitHub repository during a routine internet scan in January.

According to Mittal, this token — an alternative to using a password for authenticating to GitHub — could grant anyone full access to Mercedes’s GitHub Enterprise Server, thus allowing the download of the company’s private source code repositories.

“The GitHub token gave ‘unrestricted’ and ‘unmonitored’ access to the entire source code hosted at the internal GitHub Enterprise Server,” Mittal explained in a report shared by TechCrunch. “The repositories include a large amount of intellectual property ... connection strings, cloud access keys, blueprints, design documents, [single sign-on] passwords, API keys, and other critical internal information.”

Mittal provided TechCrunch with evidence that the exposed repositories contained Microsoft Azure and Amazon Web Services (AWS) keys, a Postgres database, and Mercedes source code. It's not known if any customer data was contained within the repositories.

TechCrunch disclosed the security issue to Mercedes on Monday. On Wednesday, Mercedes spokesperson Katja Liesenfeld confirmed that the company “revoked the respective API token and removed the public repository immediately.”

“We can confirm that internal source code was published on a public GitHub repository by human error,” Liesenfeld said in a statement to TechCrunch. “The security of our organization, products, and services is one of our top priorities."

“We will continue to analyze this case according to our normal processes. Depending on this, we implement remedial measures,” Liesenfeld added.

It's not known if anyone else besides Mittal discovered the exposed key, which was published in late-September 2023.

Mercedes declined to say whether it is aware of any third-party access to the exposed data or whether the company has the technical ability, such as access logs, to determine if there was any improper access to its data repositories. The spokesperson cited unspecified security reasons.

Last week,TechCrunch exclusively reported that Hyundai’s India subsidiary fixed a bug that exposed its customers’ personal information, including the names, mailing addresses, email addresses and phone numbers of Hyundai Motor India customers, who had their vehicles serviced at Hyundai-owned stations across India.