Mercedes-Benz has revealed a key that allows access to the company's source code

Mercedes-Benz accidentally exposed a large amount of internal data. According to security research firm RedHunt Labs, the automaker is He left a private key on the Internet that granted “unrestricted access” to the company’s source code.

Shubham Mittal, co-founder and chief technology officer of RedHunt Labs, warned of the revelation. The London-based cybersecurity company said it discovered a Mercedes-Benz employee's authentication token in a public GitHub repository during a routine scan in January.

This token, which serves as an alternative to using a password to authenticate with GitHub, could give anyone full access to Mercedes' GitHub Enterprise Server and enable downloading of the company's private source code repositories.

The GitHub token granted “unrestricted” and “unsupervised” access to all source code hosted on the internal GitHub Enterprise Server.

Repositories contain a lot of intellectual property: connection strings, cloud access keys, blueprints, design documents, single sign-on passwords, API keys, and other important internal information.

The exposed repositories included Microsoft Azure and Amazon Web Services (AWS) keys, a Postgres database, and Mercedes source code. It is not yet known whether the repositories contained customer data.

Mercedes spokeswoman Katja Liesenfeld confirmed that the company “revoked the corresponding API token and immediately deleted the public repository.”

We can confirm that the internal source code was released to a public GitHub repository due to human error. The security of our organization, products and services is one of our top priorities.

We will continue to analyze this case according to our normal processes. Depending on this, we will implement corrective measures.

It is unknown if anyone other than Mittal discovered the revealed key, which was released in late September 2023.

Read Also:  Figure 01, the AI ​​robot from OpenAI that could become a household helper

Mercedes did not want to comment on whether it is aware of third-party access to the disclosed data or whether the company has the technical capacity (e.g. access protocols) to determine whether improper access to its data has taken place. The spokeswoman gave unspecified security reasons

Recent Articles

Related News

Leave A Reply

Please enter your comment!
Please enter your name here