Mercedes

A mishandled GitHub token gave unrestricted access to Mercedes-Benz's internal GitHub Enterprise Service, exposing source code to the public.

Mercedes-Benz is a prestigious German car, bus, and truck maker recognized for its rich history of innovation, luxurious designs, and top build quality.

Like many modern automakers, the brand uses software in its vehicles and services, including safety and control systems, infotainment, autonomous driving, diagnostic and maintenance tools, connectivity and telematics, and electric power and battery management (for EVs).

On September 29, 2023, researchers at RedHunt Labs discovered a GitHub token in a public repository belonging to a Mercedez employee that gave access to the company's internal GitHub Enterprise Server.

"The GitHub token gave 'unrestricted' and 'unmonitored' access to the entire source code hosted at the Internal GitHub Enterprise Server," reads RedHunt Labs' report.

"The incident laid bare sensitive repositories housing a wealth of intellectual property, and the compromised information included database connection strings, cloud access keys, blueprints, design documents, SSO passwords, API keys, and other critical internal information."

As the researchers explained, the consequences of publicly exposing that data can be severe.

Source code leaks can lead to competitors reverse-engineering proprietary technology or hackers scrutinizing it for potential vulnerabilities in vehicle systems.

Also, the exposure of API keys could lead to unauthorized data access, service disruption, and abuse of the company's infrastructure for malicious purposes.

RedHunt Labs also mentions the possibility of legal violations, such as GDPR infringement, in case the exposed repositories contained customer data. However, the researchers have not validated the contents of the exposed files.

RedHunt, with help from TechCrunch, informed Mercedes-Benz of the token leak on January 22, 2024, and revoked it two days later, blocking access to anyone holding and abusing it.

This incident resembles a Toyota security mishap from October 2022, when the Japanese automaker revealed that personal customer information remained publicly accessible for five years due to an exposed GitHub access key.

These incidents only generate evidence of malicious exploitation if the owners of GitHub Enterprise instances have activated audit logs, which typically include IP addresses.

BleepingComputer has contacted Mercedes-Benz to learn if they have seen any signs of unauthorized access on their GitHub server, and we received the following response:

We can confirm that source code containing an internal access token was published on a public GitHub repository by human error.

This token gave access to a certain number of repositories, but not to the entire source code hosted at the Internal GitHub Enterprise Server.

We have revoked the respective token and removed the public repository immediately. Customer data was not affected as our current analysis shows. 

We will continue to analyse this case according to our normal processes. - Mercedes-Benz

The automaker told BleepingComputer that they do not want to share technical details on the incident for security reasons, so it is unclear if they have detected unauthorized access or not.

Also, the firm has said they are open to working with researchers worldwide and accepts security reports through its vulnerability disclosure program.

Related Articles:

Over 12 million auth secrets and keys leaked on GitHub in 2023

GitHub enables push protection by default to stop secrets leak

GitHub now can auto-block token and API key leaks for all repos

UnitedHealth confirms it paid ransomware gang to stop data leak

DPRK hacking groups breach South Korean defense contractors