The victim of the security incident is Mercedes-Benz, a renowned German automotive manufacturer known for its luxury vehicles, buses, and trucks. The mishap occurred due to a GitHub token mishandling by one of its employees.
A GitHub token, inadvertently exposed in a public repository owned by a Mercedes-Benz employee, provided unrestricted and unmonitored access to the company's internal GitHub Enterprise Server. This incident resulted in the public exposure of sensitive source code repositories. The compromised information included database connection strings, cloud access keys, blueprints, design documents, Single Sign-On (SSO) passwords, API keys, and other critical internal data. The exposed data poses significant risks, including reverse engineering of proprietary technology by competitors, potential exploitation of vulnerabilities in vehicle systems, unauthorized data access, service disruption, and abuse of the company's infrastructure for malicious purposes.
RedHunt Labs, on September 29, 2023, discovered the GitHub token and reported it to Mercedes-Benz on January 22, 2024, with assistance from TechCrunch. The token was promptly revoked two days later to prevent further access and abuse. The incident resembles a security mishap by Toyota in October 2022, where personal customer information remained publicly accessible for five years due to an exposed GitHub access key. Mercedes-Benz, in response to inquiries by BleepingComputer, confirmed the incident, stating that the token gave access to specific repositories but not the entire source code hosted at the Internal GitHub Enterprise Server. The company assured that customer data was not affected, but technical details were not disclosed for security reasons. Mercedes-Benz expressed a commitment to working with researchers worldwide through its vulnerability disclosure program.