The London-based cybersecurity firm found a Mercedes employee's authentication token on a public GitHub repository.
The London-based cybersecurity firm found a Mercedes employee's authentication token on a public GitHub repository.
TechCrunch was informed by RedHunt Labs about its findings, and together with the media outlet, they notified the car manufacturer.
The security company uncovered that an authentication token owned by a Mercedes employee had been inadvertently exposed in a public GitHub repository. This revelation occurred as part of a routine internet scan conducted in January.
The revealed token had the capability to grant unrestricted access to Mercedes's GitHub Enterprise Server, allowing anyone to access the company's private source code repositories.
“The repositories include a large amount of intellectual property… connection strings, cloud access keys, blueprints, design documents, [single sign-on] passwords, API Keys, and other critical internal information,” Shubham Mittal, co-founder and chief technology officer of RedHunt Labs, told TechCrunch.
Such GitHub token provided access to repositories of the German luxury and commercial automaker, encompassing its Postgres database, Amazon Web Services and Microsoft Azure keys, as well as source code, as stated by Shubham Mittal.
Mercedes-Benz revealed that the API token had been revoked, acknowledging that the publication of the source code on a public repository was the result of human error.
"We will continue to analyze this case according to our normal processes. Depending on this, we implement remedial measures," said Mercedes-Benz spokesperson Katja Liesenfeld.
The entity did not specify whether the internet-exposed data had experienced unauthorized access by third parties.
Want your digital assets to be protected?
CyberShelter provides innovative and modern cybersecurity products and niche services to individuals and organization against all kinds of cyber threats.
For the latest cyber threats and the latest hacking news please follow us on Facebook, Linkedin, and Twitter.
You may be interested in reading: How to Survive the COVID Time Cyber Security Threats?