Mercedes-Benz Exposes Source Code in Accidental Password Publication Incident

By Dabbie Davis

Jan 29, 2024 03:48 AM EST

BLACK MERCEDES BENZ BUILDING UNDER BLUE AND WHITE SKY
(Photo : PEXELS/MIKE BIRD)

Mercedes-Benz accidentally revealed its source code when a password was mistakenly made public, possibly putting sensitive internal data at risk. The company has swiftly taken action to rectify the situation and make the security of its systems a top priority.

Source Code Revealed: Mercedes-Benz, Security Alert

Mercedes-Benz inadvertently exposed its source code and sensitive internal data when a private key was left online, granting unrestricted access to the company's source code. The security research firm RedHunt Labs, led by Shubham Mittal, found a Mercedes employee's authentication token in a public GitHub repository during a routine internet scan in January. Mittal reached out to TechCrunch for assistance in notifying the car maker about the security breach. TechCruch shared details about Mercedes-Benz exposes source code incident.

Moreover, Mittal shared proof with TechCrunch, demonstrating that the exposed repositories included Microsoft Azure and Amazon Web Services (AWS) credentials, a Postgres database, and Mercedes source code. It remains uncertain whether any customer information was present in these repositories.

TechCrunch revealed that it informed Mercedes about the security problem on Monday, Mercedes spokesperson Katja Liesenfeld confirmed that the company promptly invalidated the relevant API token and eliminated the public repository on Wednesday.

Furthermore, TechCrunch shared the uncertainty about whether anyone other than Mittal came across the disclosed key, which was made public in late September 2023.

Mercedes chose not to comment on whether they have knowledge of any third-party access to the exposed data or if they possess the technical capability, such as access logs, to ascertain if there was any unauthorized access to their data repositories. The spokesperson mentioned unspecified security concerns as the reason for not providing further details.

READ MORE: Honda Unleashes Its Most Expensive EV Ever: 2024 Honda Prologue

Mercedes-Benz Responded

According to Robots.Net, upon receiving notification of the security problem, Mercedes-Benz swiftly responded. Katja Liesenfeld, the company's spokesperson, verified that they invalidated the API token and promptly deleted the public repository.

Liesenfeld stressed that Mercedes-Benz places a high priority on the security of its organization, products, and services. The company is currently conducting a comprehensive investigation into the incident and will enact any necessary corrective actions.

It was not the first time for Mercedes-Benz. Last 2020, the company experienced a similar incident. As reported in ZDNet, the source code used in the "smart car" components installed in Mercedes-Benz vans has been exposed on the internet. The breach happened when Till Kottmann, a software engineer based in Switzerland, stumbled upon a Git web portal associated with Daimler AG, the German automotive company responsible for the Mercedes-Benz brand.
Kottmann informed ZDNet that he successfully registered an account on Daimler's code-hosting platform and subsequently accessed over 580 Git repositories, which contained the source code for the onboard logic units (OLUs) utilized in Mercedes.

The OLU functions as an intermediary component, bridging the gap between a vehicle's hardware and software, facilitating the connection of vehicles to the cloud.

ZDNet cited Daimler's explanation, the OLU streamlines technical access and the handling of real-time vehicle data, enabling third-party developers to create applications that access information from Mercedes vans. These apps are usually utilized for tracking the whereabouts of vans while they are in transit, keeping an eye on a van's internal condition, or immobilizing a van in the event of theft.

RELATED ARTICLE: 2022-2023: Mercedes-Benz Metris Faces Recall for Fuel Pump Issues

Real Time Analytics