After a startling discovery by cybersecurity company RedHunt Labs, Mercedes-Benz has been left scrambling to secure their internal data. The company unintentionally leaked sensitive information after accidentally making a private key accessible online. This mistake gave unauthorized individuals “unrestricted access” to the source code of the luxury car maker, according to Shubham Mittal, co-founder and chief technology officer of RedHunt Labs.
Mittal notified TechCrunch of the exposure and requested assistance in disclosing the issue to Mercedes. During a routine internet scan in January, RedHunt Labs found a Mercedes employee’s authentication token in a public GitHub repository. This token, which is used as an alternative to passwords for GitHub authentication, could allow anyone to gain full access to Mercedes’ GitHub Enterprise Server and download the company’s private source code repositories.
In a report provided to TechCrunch, Mittal revealed that the “unrestricted” and “unmonitored” access granted by the GitHub token extended to the entire source code stored on the internal GitHub Enterprise Server. This included highly sensitive information such as intellectual property, connection strings, cloud access keys, blueprints, design documents, single sign-on passwords, API keys, and other confidential internal data.
Mittal also shared evidence with TechCrunch, showing that the exposed repositories contained keys for Microsoft Azure and Amazon Web Services, a Postgres database, and source code for Mercedes. It is currently unclear if any customer data was included in the repositories.
TechCrunch immediately disclosed the security issue to Mercedes on Monday. By Wednesday, Mercedes spokesperson Katja Liesenfeld confirmed that the company had taken action by revoking the API token and removing the public repository.
In a statement to TechCrunch, Liesenfeld acknowledged the error and stated that the company’s utmost priority is the security of their organization, products, and services. She also mentioned that Mercedes will continue to investigate the incident and take necessary measures to prevent similar occurrences in the future.
At this time, it is unknown if any other parties besides Mittal had discovered the exposed key, which was published in late-September 2023. Mercedes has not disclosed whether they are aware of any third-party access to the compromised data or if they have the means to determine if there was any unauthorized access. Mercedes cited security reasons for not providing further details.
This is not the first time a major car manufacturer has faced data security issues. Last week, TechCrunch exclusively reported on a bug fixed by Hyundai’s India subsidiary that exposed personal information of their customers, including names, mailing addresses, email addresses, and phone numbers.
