MercedesBenz had a glaring vulnerability in an opensource repository that exposed its source code, a treasure trove of valuable, sensitive information, and put the company at risk of regulatory fines. Whether or not anyone managed to exploit the flaw before it was found and plugged, remains to be seen.
Cybersecurity researchers from RedHunt Labs found a GitHub repository belonging to a Mercedes employee in late September 2023.
This repository contained a GitHub token which granted access to the company’s internal GitHub Enterprise Server.
Human error
“The GitHub token gave ‘unrestricted’ and ‘unmonitored’ access to the entire source code hosted at the Internal GitHub Enterprise Server,” RedHunt Labs’ report claims. “The incident laid bare sensitive repositories housing a wealth of intellectual property, and the compromised information included database connection strings, cloud access keys, blueprints, design documents, SSO passwords, API keys, and other critical internal information.”
The researchers suggest that this was a major mishap that could cost the company dearly. By reverseengineering the source code, other automakers can uncover the secrets of proprietary tech. Hackers can use the same thing to find flaws, both in the vehicles and in the company itself which, consequently, could lead to cyberattacks such as ransomware.
Finally, if the repositories held sensitive customer data, data protection watchdogs will have their field day, as well.
However, in a statement given to BleepingComputer, Mercedes says that won’t be the case.