Mercedes-Benz inadvertently revealed a significant amount of internal data after a private key was left online, providing unrestricted access to the company’s source code. The exposure was discovered by the cybersecurity company RedHunt Labs, which found a Mercedes employee’s authentication token in a public GitHub repository during a routine internet scan in January.
Key Takeaway
Mercedes-Benz inadvertently exposed its source code due to a mistakenly published password, potentially compromising sensitive internal information. The company has taken immediate steps to address the issue and prioritize the security of its systems.
Security Breach Details
Shubham Mittal, the co-founder and chief technology officer of RedHunt Labs, highlighted that the GitHub token allowed unmonitored access to Mercedes’s GitHub Enterprise Server, potentially enabling the download of the company’s private source code repositories. The exposed repositories contained sensitive information such as Microsoft Azure and Amazon Web Services (AWS) keys, a Postgres database, and Mercedes source code. It remains unclear whether any customer data was included in the repositories.
Response from Mercedes-Benz
Upon being informed of the security issue, Mercedes-Benz promptly took action. The company’s spokesperson, Katja Liesenfeld, confirmed that the API token was revoked, and the public repository was immediately removed. Liesenfeld emphasized that the security of the organization, products, and services is a top priority for Mercedes-Benz. The company is conducting a thorough analysis of the incident and will implement remedial measures as necessary.
