An authentication token for GitHub was accidentally shared publicly by an employee. With this token, the entire source code on Mercedes’ GitHub Enterprise Server was viewable.
RedHunt Labs found the authentication token during a routine scan in January. CTO Shubham Mittal contacted TechCrunch to share the findings. “The GitHub token gave ‘unrestricted’ and ‘unmonitored’ access to the entire source code hosted at the internal GitHub Enterprise Server,” Mittal said.
The authentication token, meant to make a password unnecessary for a Mercedes employee, provided even more access. For example, Mittal states, there was access to “connection strings, cloud access keys, blueprints, design documents, SSO passwords, API keys and other critical internal information.” Also present were keys for Azure and AWS, in addition to a Postgres database and the Mercedes-Benz source code.
Long available, not known who had access
As far as can be discnerned, only RedHunt Labs found the token, but that in itself shouldn’t be enough to reassure Mercedes-Benz. The data was published in late September 2023, giving a malicious party four months to find it. Mercedes closed the leak shortly after TechCrunch notified the company of the incident. The automaker did not disclose whether it is aware of other parties that have gained access through this token.
The leak of the source code itself need not be catastrophic. Head of Google’s Threat Analysis Group told Wired in 2022 that account and user data leaks should be especially protective. “Just because someone can see the source code doesn’t mean they’ll be able to exploit it right then,” he said. However, this Mercedes leak involves more data than just the source code, but if only RedHunt Labs had access, the damage was limited.
Tip: Russia-backed hackers attack Microsoft: senior leadership hacked
IP and open source
However, IP protection is extremely important, and of course, that also applies to the automotive industry. Given the development of connected cars, this sector is innovating at a rapid rate. Examples include improving efficiency and self-driving functions. Mercedes itself utilizes its MB.OS operating system, which should make it as easy as possible for users to tap into all the functions.
Mercedes stated late last year that it is a big proponent of open source, which is why it has a large presence on GitHub. That apparently did cause problems this time around.
Also read: TomTom unveils in-car AI assistant, will it be more than a gimmick?
1 day ago
