Anyone could get their hands on the company's secrets for 4 months.
Carmaker Mercedes-Benz almost made a serious leak of internal confidential data. As the cybersecurity company RedHunt Labs found out, one of the employees left the developer's private key freely available on the network, which opened unlimited access to the source codes of internal systems.
During routine monitoring of Internet resources in January, analysts accidentally stumbled upon an authorization token in the open GitHub repository. This token, in fact, canceled the need to enter a password and provided complete freedom of action on the corporate GitHub Enterprise server. In other words, attackers could easily download any closed repositories.
These repositories contained data for connecting to internal archives, access keys to cloud services, drawings, design documents, passwords for the Unified Authentication system (SSO), APIs, and other valuable information.
Experts specify that repositories with keys to Microsoft Azure and Amazon Web Services cloud services, as well as the internal Postgres database and source codes of Microsoft's own systems are publicly available. It is not yet clear whether personal data of customers was among the vulnerable resources.
A Mercedes spokesperson confirmed that the leak was caused by an employee. The company immediately revoked the compromised token and closed the repository. Management assures that protecting the company's confidential data, products and services is their top priority. An internal investigation of the incident has already been launched, and based on its results, measures will be taken to prevent similar problems in the future.
It is not yet clear whether any of the attackers managed to take advantage of the open source code published back in September 2023. Mercedes representatives declined to say whether the company uses technical monitoring tools that would allow it to determine whether unauthorized access to internal systems was carried out. They cited information security considerations as the reason for the refusal.
Carmaker Mercedes-Benz almost made a serious leak of internal confidential data. As the cybersecurity company RedHunt Labs found out, one of the employees left the developer's private key freely available on the network, which opened unlimited access to the source codes of internal systems.
During routine monitoring of Internet resources in January, analysts accidentally stumbled upon an authorization token in the open GitHub repository. This token, in fact, canceled the need to enter a password and provided complete freedom of action on the corporate GitHub Enterprise server. In other words, attackers could easily download any closed repositories.
These repositories contained data for connecting to internal archives, access keys to cloud services, drawings, design documents, passwords for the Unified Authentication system (SSO), APIs, and other valuable information.
Experts specify that repositories with keys to Microsoft Azure and Amazon Web Services cloud services, as well as the internal Postgres database and source codes of Microsoft's own systems are publicly available. It is not yet clear whether personal data of customers was among the vulnerable resources.
A Mercedes spokesperson confirmed that the leak was caused by an employee. The company immediately revoked the compromised token and closed the repository. Management assures that protecting the company's confidential data, products and services is their top priority. An internal investigation of the incident has already been launched, and based on its results, measures will be taken to prevent similar problems in the future.
It is not yet clear whether any of the attackers managed to take advantage of the open source code published back in September 2023. Mercedes representatives declined to say whether the company uses technical monitoring tools that would allow it to determine whether unauthorized access to internal systems was carried out. They cited information security considerations as the reason for the refusal.
