Documentation startup Mintlify says dozens of customers had GitHub tokens exposed in a data breach at the start of the month and publicly disclosed last week.
Mintlify helps developers create documentation for their software and source code by requesting access and tapping directly into the customer’s GitHub source code repositories.
These private tokens allow GitHub users to share their account access with third parties apps, including companies like Mintlify.
“The targets of this attack were GitHub tokens of our users,” Wang told TechCrunch by email.
We are currently working with GitHub and our customers to uncover if any of the other tokens were used by the attacker,” Wang said.
A bug in an Irish government website that exposed COVID-19 vaccination records took two years to publicly discloseThe Irish government fixed a vulnerability two years ago in its national COVID-19 vaccination portal that exposed the vaccination records of around a million residents.
But details of the vulnerability weren’t revealed until this week after attempts to coordinate public disclosure with the government agency stalled and ended.
Security researcher Aaron Costello said he discovered the vulnerability in the COVID-19 vaccination portal run by the Irish Health Service Executive (HSE) in December 2021, a year after mass vaccinations against COVID-19 began in Ireland.
Costello’s public disclosure marks more than two years since first reporting the vulnerability.
His blog post included a multi-year timeline revealing a back and forth between various government departments that were unwilling to take claim to public disclosure.
India’s federal election commission has fixed flaws on its website that exposed data related to citizens’ requests for information related to their voting eligibility status, local political candidates and parties, and technical details about electronic voting machines.
The bugs allowed access to the RTI requests, download transaction receipts, and responses shared by the officials without properly authenticating user logins.
Some of the exposed data included the RTI filing date, the questions asked, the applicant’s name and mailing address, the applicant’s poverty line status, and RTI responses.
The bugs were fixed earlier this week following CERT-In’s intervention.
The Election Commission of India did not respond to a request for comment.
The Asian technology and internet company YX International manufactures cellular networking equipment and provides SMS text message routing services.
YX International claims to send five million SMS text messages daily.
But codes sent over SMS text messages are not as secure as stronger forms of 2FA, such as an app-based code generator, since SMS text messages are prone to interception or exposure — or in this case, leaking from a database onto the open web.
TechCrunch found in the exposed database sets of internal email addresses and corresponding passwords associated with YX International, and alerted the company to the spilling database.
YX International would not say for how long the database was exposed.
An Indian state government has fixed security issues impacting its website that exposed the sensitive documents and personal information of millions of residents.
The bugs existed on the Rajasthan government website related to Jan Aadhaar, a state program to provide a single identifier to families and individuals in the state to access welfare schemes.
One of the bugs allowed anyone to access personal documents and information with knowledge of a registrant’s phone number.
The state’s Jan Aadhaar portal, which launched in 2019, says it has more than 78 million individual registrants and 20 million families.
The portal aims to offer “One Number, One Card, One Identity” to residents in the northern state of Rajasthan for accessing state government welfare schemes.
Mercedes-Benz accidentally exposed a trove of internal data after leaving a private key online that gave “unrestricted access” to the company’s source code, according to the security research firm that discovered it.
The London-based cybersecurity company said it discovered a Mercedes employee’s authentication token in a public GitHub repository during a routine internet scan in January.
According to Mittal, this token — an alternative to using a password for authenticating to GitHub — could grant anyone full access to Mercedes’s GitHub Enterprise Server, thus allowing the download of the company’s private source code repositories.
“The GitHub token gave ‘unrestricted’ and ‘unmonitored’ access to the entire source code hosted at the internal GitHub Enterprise Server,” Mittal explained in a report shared by TechCrunch.
It’s not known if anyone else besides Mittal discovered the exposed key, which was published in late-September 2023.
In a phone conversation on Thursday, Hyundai Motor India spokesperson Siddhartha P. Saikia said the company would provide a statement.
The bug exposed the customer’s personal information through the web links Hyundai Motor India shared with customers over WhatsApp after receiving their vehicles for servicing at an authorized service station.
TechCrunch shared the details of the bug with Hyundai Motor India on the same day, and requested Hyundai Motor India fix the bug within seven days due to its simplicity and severity.
Established in 1996, Hyundai Motor India is among the top three carmakers in the country, alongside Maruti Suzuki and Tata Motors.
Hyundai Motor India has a network of over 1,500 service stations in the country.
Database management giant MongoDB says it’s investigating a security incident that has resulted in the exposure of some information about customers.
In an update published on Sunday, MongoDB said does not believe hackers accessed any customer data stored in MongoDB Atlas, the company’s hosted database offering.
For one customer, this included system logs, MongoDB said.
System logs can include information about the running of a database or its underlying system.
MongoDB declined to say how many customers may be affected by the compromise of its corporate systems.
Ubiquity, the networking and video surveillance camera maker, has fixed a bug that users say mistakenly allowed them access to the accounts and private live video streams of other customers.
Reports first emerged on Reddit that some customers received push notifications on their phones featuring Ubiquiti account-related information and private video streams belonging to other customers.
Another person said they logged into their Ubiquiti account but were presented with the account data of another customer.
“I logged in and I seem to be someone else,” said one person on the Ubiquiti subreddit.
Ubiquiti is a cloud and technology company that makes routers, network switches, security and video surveillance gear, which can be remotely controlled and operated through its centralized cloud offering.
It’s not uncommon for platforms like Patreon to offer creators a means of receiving funds from their supporters. However, this recently fixed security bug shows that even privacy-focused platforms can…