Why it matters: Security researchers regularly scan the internet in search of unprotected servers or exposed "secrets" belonging to major industry players. However, what RedHunt Labs recently discovered goes far beyond a simple insecure server hosting some confidential data.
UK-based security company RedHunt Labs recently discovered an authentication token belonging to a Mercedes-Benz employee. The token was hosted in a public GitHub repository, as stated by RedHunt co-founder Shubham Mittal, and it could have been exploited to gain "unrestricted access" to business secrets and other crucial authentication credentials of the German automotive giant.
RedHunt identified the exposed authentication token during a routine internet scan in January, but the token itself had been published back in September 2023. By using the private key, malicious actors or cybercriminals could have obtained full access to a GitHub Enterprise Server owned by Mercedes-Benz. The volume and sensitivity of data stored on the mentioned server were truly staggering.
The GitHub token provided "unrestricted" and "unmonitored" access to a large amount of Mercedes-Benz intellectual property files, including blueprints, design documents, and other "critical" internal information. Mittal emphasized that the server was also hosting cloud access keys, API keys, and additional passwords, which could have been exploited to disrupt the entire carmaker's IT infrastructure, creating an unprecedented and chaotic situation.
Worse still, Mittal confirmed (with evidence) that the insecure repositories exposed keys for Microsoft Azure and Amazon Web Services (AWS) servers, a Postgres database, and even the source code for Mercedes-Benz software. No customer data was seemingly hosted on the affected servers, according to the security researcher.
RedHunt shared details about the embarrassing security incident with TechCrunch, which then disclosed the issue to Mercedes-Benz. A spokesperson from the German company soon confirmed that the unrestricted API token was revoked, and the public repository was removed "immediately."
The carmaker's internal source code was inadvertently published on a public GitHub server due to human error, the spokesperson said. An internal investigation is still ongoing, and additional "remedial measures" will be implemented accordingly.
The unmonitored token was exposed to public access for months, but so far, there is no evidence that malicious actors or cybercriminals were able to discover and abuse the secret to compromise Mercedes-Benz's business. The company did not confirm whether it was able to detect unknown access attempts to its systems via access logs or other security measures.
