It turned out that the GitHub token of a Mercedes-Benz employee was placed in a public repository and anyone could download the intellectual property



Mercedes-Benz maintains a public repository on GitHub to share experiences and values with the external community and contribute to open source software. However, an investigation by a security research firm revealed that employee authentication tokens that gave access to Mercedes-Benz's private repositories were placed in public space, allowing anyone to download sensitive data and intellectual property. I understand.

How a mistakenly published password exposed Mercedes-Benz source code | TechCrunch

https://techcrunch.com/2024/01/26/mercedez-benz-token-exposed-source-code-github/



The following is the Mercedes-Benz Group's GitHub public repository. Various APIs and front-end toolkits for the digital production system 'MO360' have been released.

Mercedes-Benz Group · GitHub

https://github.com/mercedes-benz



Shubham Mittal of the security research firm

RedHunt Labs told the news site TechCrunch that in January 2024, during a routine scan of the internet, he found that a Mercedes-Benz employee was authenticated in a public GitHub repository. The token was found.

This token allows you to access Mercedes-Benz's GitHub Enterprise Server and download private source code repositories. The repository stores a large amount of intellectual property such as connection information, cloud access keys, blueprints, design documents, single sign-on passwords, API keys, and other internal information, and anyone can access it without restriction and without supervision. Mittal explains that this has become possible.

It is unclear whether customer data was included.



TechCrunch relayed this information to Mercedes-Benz on January 22nd. On January 24, Mercedes-Benz spokesperson Katja Riesenfeld confirmed to TechCrunch that the respective API tokens were revoked and the public repositories were immediately deleted.

According to Riesenfeld, the reason the token was placed in the public repository was due to human error, and plans to conduct an internal investigation and take corrective measures.

The token is believed to have been released in late September 2023, and it is unclear whether anyone other than Mr. Mittal noticed it.

In 2020, Mercedes-Benz experienced an incident where the source code of its in-vehicle processing unit was leaked due to a mistake in GitLab's security settings.

Mercedes-Benz's on-board computing unit (OLU) source code leaked - GIGAZINE



Related Posts:

in Security, Posted by logc_nt