Pierluigi Paganini March 10, 2023

Cybernews researchers discovered that BMW exposed sensitive files that were generated by a framework that BMW Italy relies on.

Original post at: https://cybernews.com/security/bmw-exposes-italy-clients/

Hackers have been enjoying their fair share of the spotlight by breaching car manufacturers’ defenses. The latest Cybernews discovery showcases that popular car brands sometimes leave their doors open, as if inviting threat actors to feast on their client data.

• BMW exposed sensitive files to the public
• Attackers could exploit the data to steal the website’s source code and potentially access customer info
• BMW secured the data that wasn’t meant to be public in the first place
• BMW clients should remain vigilant, as home addresses, vehicle location data, and many other kinds of sensitive personal information are collected by the manufacturer

BMW, a German multinational manufacturer of luxury vehicles delivering around 2.5 million vehicles a year, potentially exposed its business secrets and client data.

If a malicious hacker were to discover the flaw, they could exploit it to access customer data, steal the company’s source code, and look for other vulnerabilities to exploit.

The discovery

In February, Cybernews researchers stumbled upon an unprotected environment (.env) and .git configuration files hosted on the official BMW Italy website. Environment files (.env), meant to be stored locally, included data on production and development environments.

Researchers noted that while this information is not enough for threat actors to compromise the website, they could be used for reconnaissance – covertly discovering and collecting information about a system. Data could lead to the website being compromised or point attackers towards customer information storage and the means to access it.

The .git configuration file, exposed to the public, would have allowed threat actors to find other exploitable vulnerabilities, since it contained the .git repository for the site’s source code.

“The discovery illustrates that even well-known and trusted brands can have severely insecure configurations, allowing attackers to breach their systems in order to steal customer information or move laterally through the network. Customer information from such sources is especially valuable for cybercriminals, given that customers of luxury car brands often have more savings that could potentially be stolen,” the Cybernews research team said.

Sensitive files were generated by a framework that BMW Italy relies on – Laravel, a free open-source PHP framework designed for the development of web applications.

In 2017, a vulnerability was discovered in the aforementioned framework. It scored 7.5 out of 10 on the the Common Vulnerability Scoring System (CVSS), since attackers can obtain sensitive information such as externally usable passwords by exploiting the flaw. The company might have either used a vulnerable Laravel version or it might have been misconfigured by mistake by someone using an up-to-date version.

Recommendations for BMW

• Reset the GitLab CI token to avoid .git repository cloning and exploitation of other potential vulnerabilities within the website
• Reset credentials of MySQL and PostgreSQL databases, change ports and IP of the host to avoid sensitive data leakage
• Change the ports used by the administrative portals to listen to incoming connections to avoid the exposure of the internal tools and a potential tip-off of hackers on what attacks to launch

What BMW knows about you

• As per BMW Italy’s website, they collect a treasure trove of user information, including full names, addresses, phone numbers, and email addresses
• BMW also knows what vehicle you own, has contract details, and your online account’s data that could be used for phishing and/or credential-stuffing attacks
• BMW knows technical information about your vehicle,and the location of your phone if it has BMW or Mini connected apps installed. This information could even lead to the theft of your vehicle, since the attacker could figure out if you are inside your car or far away from it
• Since the data was secured by the manufacturer, there’s no need to worry. However, we recommend you stay vigilant at all times, cautiously reviewing any suspicious emails and monitoring your banking information

If you want to know more about car hacking and which are the mistakes made by car makers give a look at the original post at

https://cybernews.com/security/bmw-exposes-italy-clients/

About the author: Jurgita Lapienytė, Chief Editor at CyberNews

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, BMW Italia)