Original post at: https://cybernews.com/security/bmw-exposes-italy-clients/
Hackers have been enjoying their fair share of the spotlight by breaching car manufacturers’ defenses. The latest Cybernews discovery showcases that popular car brands sometimes leave their doors open, as if inviting threat actors to feast on their client data.
BMW, a German multinational manufacturer of luxury vehicles delivering around 2.5 million vehicles a year, potentially exposed its business secrets and client data.
If a malicious hacker were to discover the flaw, they could exploit it to access customer data, steal the company’s source code, and look for other vulnerabilities to exploit.
In February, Cybernews researchers stumbled upon an unprotected environment (.env) and .git configuration files hosted on the official BMW Italy website. Environment files (.env), meant to be stored locally, included data on production and development environments.
Researchers noted that while this information is not enough for threat actors to compromise the website, they could be used for reconnaissance – covertly discovering and collecting information about a system. Data could lead to the website being compromised or point attackers towards customer information storage and the means to access it.
The .git configuration file, exposed to the public, would have allowed threat actors to find other exploitable vulnerabilities, since it contained the .git repository for the site’s source code.
“The discovery illustrates that even well-known and trusted brands can have severely insecure configurations, allowing attackers to breach their systems in order to steal customer information or move laterally through the network. Customer information from such sources is especially valuable for cybercriminals, given that customers of luxury car brands often have more savings that could potentially be stolen,” the Cybernews research team said.
Sensitive files were generated by a framework that BMW Italy relies on – Laravel, a free open-source PHP framework designed for the development of web applications.
In 2017, a vulnerability was discovered in the aforementioned framework. It scored 7.5 out of 10 on the the Common Vulnerability Scoring System (CVSS), since attackers can obtain sensitive information such as externally usable passwords by exploiting the flaw. The company might have either used a vulnerable Laravel version or it might have been misconfigured by mistake by someone using an up-to-date version.
Recommendations for BMW
What BMW knows about you
If you want to know more about car hacking and which are the mistakes made by car makers give a look at the original post at
About the author: Jurgita Lapienytė, Chief Editor at CyberNews
(SecurityAffairs – hacking, BMW Italia)