Although we cannot deny that hackers are increasingly more skilled when it comes to carrying out their attacks (and even more so now that they have the help of AI), many times the fault that we are victims of a computer attack is ours. . It has already happened more times that, due to carelessness, we have opened the doors for hackers to get hold of all our data. And this is what just happened to Mercedes-Benz.
Yesterday there was news that indicated that the giant German car manufacturer, Mercedes-Benz, could have exposed absolutely all of its source code on the Internet, opening the door for anyone to download it, distribute it over the Internet, and even sell it to other companies. But how has this been possible? What exactly happened?
An oversight by a Mercedes-Benz employee
A security researcher (luckily, on the “good side”) from the firm RedHunt Labs warned that, during a routine scan, he found the access token in a public repository that the employee had on a personal level. This token is a more secure alternative to the classic username/password when accessing a server from anywhere (for example, from home). This specifically allowed the employee to connect to Mercedez-Benz’s GitHub Enterprise Server to work with the code.
This token was of unmonitored use, and had absolute privileges within the company’s code server. Specifically, within the servers were all the vehicle software source codes, connection strings, cloud access keys, blueprints, design documents, passwords, API keys and other critical internal information. In addition, access keys to Microsoft Azure and Amazon Web Services were also found.
In addition to all of the above, this security flaw could also have damaged the reputation of the manufacturer, which could have affected the price and future investments.
Bug already fixed
There is no doubt that this is a human error, say those responsible for the firm. How this could have happened is a mystery. Most likely, this worker had his own repositories at home and, when committing the code, this access token was inadvertently uploaded.
At this time, the firm is analyzing whether anyone else has been able to access its servers using this token, since it has been on GitHub, available to everyone, since September 2023. After analyzing the case carefully, and following its own protocols, the company announces that it will take measures to prevent this from happening again in the future. And the first of these measures is its own rewards program for those who find security flaws.
Despite everything, there are several questions in the air. Why would an employee have an unmonitored token with unlimited access to the entire server? Either he had a very senior position within Mercedes-Benz, or a poor configuration of the tokens by the company.
It has already happened other times
This is not the first time that, within GitHub code, confidential data has been published that could lead to computer attacks. For example, many developers who upload code include their projects’ test API keys in their code, with which anyone could authenticate within them. Without going any further, another very famous example occurred in October 2022, when it was discovered that Toyota had been exposing the GitHub key for 5 years, from which confidential customer information could be accessed.
Private passwords, session cookies, and other types of private files that should not be part of the code but, due to the programmer’s inattention, end up there have also been found in repositories. For this reason, it is vitally important to make sure that we configure Git and GitHub well, all the code that is uploaded to the platform is always clean and that we review the commits very well to ensure that no file travels that it should not when we synchronize the file.
