Mercedes-Benz inadvertently left a significant amount of internal data exposed, after a private key was mistakenly made public, providing “unrestricted access” to the firm’s source code, as revealed by a security research team.
TechCrunch reported that Shubham Mittal, the co-founder and chief technology officer of RedHunt Labs, discovered this lapse and reached out for assistance in notifying the automobile manufacturer. RedHunt Labs, a cybersecurity firm based in London, stumbled upon an authentication token belonging to a Mercedes employee in a public GitHub repository during a routine internet scan in January.
Mittal, in his report shared by TechCrunch, stated, “The GitHub token gave ‘unrestricted’ and ‘unmonitored’ access to the entire source code hosted at the internal GitHub Enterprise Server.” He also provided TechCrunch with proof showing that the compromised repositories contained keys for Microsoft Azure and Amazon Web Services, a Postgres database, and the Mercedes source code. It remains unclear whether any customer data was included in these repositories.
Upon learning of the security breach, TechCrunch promptly informed Mercedes on Monday. By Wednesday, Mercedes spokesperson Katja Liesenfeld acknowledged the incident, confirming that the company had “revoked the respective API token and removed the public repository immediately.”