A misconfigured Git server has caused the leak of the source code of mobile apps and internal software used by Nissan North America.
The situation is embarrassing because the software engineer Tillie Kottmann was informed by an anonymous source that the Git server was exposed online and accessible to anyone using the default login credentials admin/admin.
The news was first reported by ZDNet which was contacted by Kottmann.
The engineers analyzed the content of the repository and confirmed the presence of the source code for:
In a series of tweets, the researchers also provided insights related to the code such as the password handling routine implemented in the ASIST/NNA_MNS_PartsServices_IMS-ASISTUserAuthentication process.
The car maker shut down the Git server after the public disclosure of the leak.
The leaked data are already circulating in the hacking underground, experts reported the availability of torrent links to the leaked material on hacking forums and Telegram channels.
A company spokesperson told ZDNet that the company launched an investigation into the incident and promptly secured the impacted server.
“Nissan conducted an immediate investigation regarding improper access to proprietary company source code. We take this matter seriously and are confident that no personal data from consumers, dealers or employees was accessible with this security incident.” states the spokesperson. “The affected system has been secured, and we are confident that there is no information in the exposed source code that would put consumers or their vehicles at risk.”
The researcher found a similar data leak in May 2020 that impacted Mercedes Benz.
If you want to receive the weekly Security Affairs Newsletter for free subscribe here.
[adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – hacking, data leak)
[adrotate banner=”5″]
[adrotate banner=”13″]
Over 1,400 CrushFTP internet-facing servers are vulnerable to attacks exploiting recently disclosed CVE-2024-4040 vulnerability. Over…
A ransomware attack on a Swedish logistics company Skanlog severely impacted the country's liquor supply. …
CISA adds Cisco ASA and FTD and CrushFTP VFS vulnerabilities to its Known Exploited Vulnerabilities…
U.S. CISA added the Windows Print Spooler flaw CVE-2022-38028 to its Known Exploited Vulnerabilities catalog.…
The U.S. Department of Justice (DoJ) announced the arrest of two co-founders of a cryptocurrency mixer…
Google addressed a critical Chrome vulnerability, tracked as CVE-2024-4058, that resides in the ANGLE graphics…
This website uses cookies.