The security research group that found it claims that Mercedes-Benz unintentionally leaked a wealth of corporate data after posting a private key online that allowed for “unrestricted access” to the source code of the business.
RedHunt Labs co-founder and chief technology officer Shubham Mittal informed TechCrunch about the exposure and requested assistance telling the automaker. During a routine internet scan in January, the London-based cybersecurity company said it found the authentication token of a Mercedes employee in a public GitHub project.
Mittal claims that this token may give anybody full access to Mercedes’s GitHub Enterprise Server, enabling the download of the business’s proprietary source code repositories, as an alternative to requiring a password for GitHub authentication.
Mercedes was informed on Monday of the security vulnerability by TechCrunch. Mercedes affirmed on Wednesday that it has “revoked the respective API token and removed the public repository immediately,” according to spokeswoman Katja Liesenfeld.
The exposed key was published in late September 2023; it is unknown if anyone except Mittal found it.
Mercedes declined to comment on whether it is aware of any unauthorized access by third parties to the disclosed data or whether it possesses the technological know-how, such as access logs, to ascertain whether unauthorized access to its data repositories occurred. The representative gave vague security justifications.
