January 30, 2024 at 01:46PM
A mishandled GitHub token granted unrestricted access to Mercedes-Benz’s internal GitHub Enterprise Service, exposing sensitive source code. RedHunt Labs discovered and reported the security breach, prompting Mercedes-Benz to revoke the token and remove the public repository. The leak could have severe consequences, including reverse-engineering proprietary technology, potential GDPR infringement, and unauthorized access to customer data.
Based on the meeting notes, it is clear that there was a mishandled GitHub token that led to unrestricted access to Mercedes-Benz’s internal GitHub Enterprise Service, exposing sensitive source code to the public. The exposed information included database connection strings, cloud access keys, blueprints, design documents, SSO passwords, API keys, and other critical internal information. Furthermore, the implications of this exposure are significant, including the potential for reverse-engineering proprietary technology, scrutiny for vulnerabilities in vehicle systems, unauthorized data access, service disruption, abuse of the company’s infrastructure, and legal violations related to data protection regulations such as GDPR.
Mercedes-Benz was informed of the token leak on January 22, 2024, and took immediate action by revoking the token and removing the public repository. They confirmed that customer data was not affected based on their analysis, but did not provide technical details about any potential unauthorized access. The company has also expressed willingness to work with researchers worldwide and accepts security reports through its vulnerability disclosure program.
In conclusion, while Mercedes-Benz has taken steps to address the incident and ensure the security of its systems, it would be important to continue monitoring for signs of unauthorized access and to further analyze the potential impact of the exposure, given the sensitive nature of the information that was compromised.