A misconfiguration of a Microsoft Azure server at BMW leaked sensitive company information. This was discovered by a SOCRadar researcher during a routine Internet scan, reports TechCrunch.
According to TechCrunch, Can Yoleri, a security researcher at SOCRadar, discovered the misconfigured and thus open Azure server of German automotive group BMW. This happened during a routine scan of the internet. The so-called Azure “bucket” was located in BMW’s development environment and was accidentally configured as a public server instead of a private server. This made the information in the bucket readable.
Login credentials for multiple cloud services
In the open Azure bucket, the security researcher found sensitive information, including access information for Azure containers, secret keys to access private bucket addresses and details about other cloud services. More specifically, this would include private keys for BMW cloud services in China, Europe and the U.S. It also involved login details for the automotive group’s production and development databases.
It is unknown how long the bucket in question was open. The security researcher shared his findings with BMW.
Problem partially addressed
BMW indicated that the Azure bucket in question had indeed been open in response to the event. According to a spokesperson, it involved an Azure bucket in the company’s storage development environment. Customer data or other personal information was not leaked.
By early 2024, BMW would have resolved the issue. The company remains alert to possible misuse. The automaker would not comment on how long the bucket in question had been open and did not say whether malicious access to the exposed data had been gained in the meantime.
Researcher Yoleri stated in a reaction that the automotive group still has not revoked or updated all passwords or other login credentials. Thus, the automotive group has only made the Azure bucket private.
More misconfigurations in the automotive industry
By the way, BMW is not the only German automobile manufacturer that has recently inadvertently disclosed company-sensitive data. In January of this year, Mercedes-Benz accidentally left a private GitHub token open that provided unlimited access to company source code.
Read also: Internal data Mercedes-Benz was accessible due to public GitHub token