Mercedes-Benz Source Code and Sensitive Data Unintentionally Exposed on Public Server
In a significant lapse of IT security, Mercedes-Benz recently faced a precarious situation when sensitive corporate data, including its source code and business secrets, was inadvertently made accessible to the public due to human error. This incident, revealed by the UK-based security firm RedHunt Labs, underscores the vulnerabilities that even major industry players can encounter in managing digital assets.
RedHunt Labs, during a routine internet scan in January, stumbled upon an authentication token belonging to a Mercedes-Benz employee on a public GitHub repository. The token, which had been publicly available since September 2023, granted “unrestricted access” to a substantial trove of the German automaker’s intellectual property. The exposed server was a repository of critical information including blueprints, design documents, and other sensitive internal data.
Shubham Mittal, co-founder of RedHunt Labs, highlighted the gravity of the exposure. The GitHub token not only unlocked access to Mercedes-Benz’s intellectual property files but also housed cloud access keys, API keys, and additional passwords. The potential exploitation of these credentials could have led to widespread disruption of the carmaker’s entire IT infrastructure.
Furthermore, the security breach extended to keys for Microsoft Azure and Amazon Web Services (AWS) servers, a Postgres database, and even the source code for Mercedes-Benz software. However, it was noted that no customer data appeared to be stored on the compromised servers.
Upon discovering the lapse, RedHunt Labs promptly reported the issue to TechCrunch, which in turn informed Mercedes-Benz. The company swiftly responded by revoking the unrestricted API token and removing the public repository. According to a spokesperson from Mercedes-Benz, the exposure of the company’s internal source code and sensitive data on a public GitHub server was an unintended result of human error. An ongoing internal investigation aims to ascertain the full extent of the incident, and Mercedes-Benz is committed to implementing additional remedial measures to prevent future occurrences.
While the exposed token was accessible publicly for several months, Mercedes-Benz has not yet found evidence of malicious exploitation of the data. The company is actively reviewing access logs and other security measures to determine whether there were any unauthorized attempts to access its systems.
This incident serves as a stark reminder of the critical importance of rigorous cybersecurity protocols and the potential risks of human error in safeguarding sensitive corporate information in the digital age.