The Unintended Leak of Mercedes-Benz Source Code: A Consequence of a Published Password Error

Mercedes-Benz accidentally exposed a trove of internal data after leaving a private key online that gave “unrestricted access” to the company’s source code, according to the security research firm that discovered it. The London-based cybersecurity company said it discovered a Mercedes employee’s authentication token in a public GitHub repository during a routine internet scan in January. According to Mittal, this token — an alternative to using a password for authenticating to GitHub — could grant anyone full access to Mercedes’s GitHub Enterprise Server, thus allowing the download of the company’s private source code repositories. “The GitHub token gave ‘unrestricted’ and ‘unmonitored’ access to the entire source code hosted at the internal GitHub Enterprise Server,” Mittal explained in a report shared by TechCrunch. It’s not known if anyone else besides Mittal discovered the exposed key, which was published in late-September 2023.

After a startling discovery by cybersecurity company RedHunt Labs, Mercedes-Benz has been left scrambling to secure their internal data. The company unintentionally leaked sensitive information after accidentally making a private key accessible online. This mistake gave unauthorized individuals “unrestricted access” to the source code of the luxury car maker, according to Shubham Mittal, co-founder and chief technology officer of RedHunt Labs.

Mittal notified TechCrunch of the exposure and requested assistance in disclosing the issue to Mercedes. During a routine internet scan in January, RedHunt Labs found a Mercedes employee’s authentication token in a public GitHub repository. This token, which is used as an alternative to passwords for GitHub authentication, could allow anyone to gain full access to Mercedes’ GitHub Enterprise Server and download the company’s private source code repositories.

In a report provided to TechCrunch, Mittal revealed that the “unrestricted” and “unmonitored” access granted by the GitHub token extended to the entire source code stored on the internal GitHub Enterprise Server. This included highly sensitive information such as intellectual property, connection strings, cloud access keys, blueprints, design documents, single sign-on passwords, API keys, and other confidential internal data.

Mittal also shared evidence with TechCrunch, showing that the exposed repositories contained keys for Microsoft Azure and Amazon Web Services, a Postgres database, and source code for Mercedes. It is currently unclear if any customer data was included in the repositories.

TechCrunch immediately disclosed the security issue to Mercedes on Monday. By Wednesday, Mercedes spokesperson Katja Liesenfeld confirmed that the company had taken action by revoking the API token and removing the public repository.

In a statement to TechCrunch, Liesenfeld acknowledged the error and stated that the company’s utmost priority is the security of their organization, products, and services. She also mentioned that Mercedes will continue to investigate the incident and take necessary measures to prevent similar occurrences in the future.

At this time, it is unknown if any other parties besides Mittal had discovered the exposed key, which was published in late-September 2023. Mercedes has not disclosed whether they are aware of any third-party access to the compromised data or if they have the means to determine if there was any unauthorized access. Mercedes cited security reasons for not providing further details.

This is not the first time a major car manufacturer has faced data security issues. Last week, TechCrunch exclusively reported on a bug fixed by Hyundai’s India subsidiary that exposed personal information of their customers, including names, mailing addresses, email addresses, and phone numbers.

Avatar photo
Max Chen

Max Chen is an AI expert and journalist with a focus on the ethical and societal implications of emerging technologies. He has a background in computer science and is known for his clear and concise writing on complex technical topics. He has also written extensively on the potential risks and benefits of AI, and is a frequent speaker on the subject at industry conferences and events.

Articles: 832

Leave a Reply

Your email address will not be published. Required fields are marked *