Pierluigi Paganini December 20, 2023

By neglecting to set a password, a BMW dealer in India has jeopardized the entire network of car dealerships in the country and put its clients at risk.

The Cybernews research team has discovered that the Bengaluru branch of BMW Kun Exclusive, a BMW dealership in India, has exposed sensitive data to the public.

The data leak could have resulted in unauthorized access to sensitive clients’ and business data or even a full takeover of the BMW outlet’s internal systems by threat actors.

The BMW Kun Exclusive put its systems at risk by leaving an environment configuration file (.env) accessible to the public.

The file contained credentials for various business accounts throughout India, including 19 other dealerships, logins to the platform to send marketing-related SMS, tokens, and API keys that give access to internal systems and their own WhatsApp account.

Cybernews reached out to the company for an official comment but has yet to receive a reply.

Cybersecurity neglect puts companies at risk

Exposing an .env file poses a significant risk, as the file stored credentials in plaintext for various accounts of dealerships both in and outside India. Cybernews has no information on how the companies are connected.

List of dealerships with leaked credentials:

• BMW Bird Automotive
• BMW EVM Autokraft
• BMW Infinity Cars
• BMW Krishna Automobiles
• BMW Munich Motors
• BMW Navnit Motors
• BMW Speed Motorwagen
• BMW Titanium Autos
• BMW Varsha Autohaus
• BMW Bavaria Motors
• BMW Eminent Cars
• BMW Sanghi Classic
• BMW OSL Prestige
• BMW Gallops Autohaus
• BMW Enterprise BMW

Apart from being left accessible to the public, the fact that credentials were saved in plain text already shows weak cybersecurity practices. This kind of cybersecurity neglect potentially enabled malicious actors to gain unauthorized access to the dealership’s systems and databases.

This could encompass customer information, sales records, and financial data. As a result, there’s an elevated risk of sensitive information being stolen and misused for activities such as identity theft, fraud, or sale on the dark web.

The environment file also exposed the username, Entity ID, and password for the platform that’s used to send SMSs to clients. In the hands of cybercriminals, these credentials could be used to impersonate BMW Kun Exclusive and carry out fraud or smishing attacks, potentially leading to financial losses for victims and reputational damage for BMW.

API keys exposed

The leaked file also included API keys, usernames, secrets, hashes, tokens, and signatures. The primary and immediate concern is that threat actors could have potentially accessed systems, services, or data protected by the exposed API key.

Amongst the several APIs exposed, the most sensitive is the Oauth token endpoint, which might grant access to all the production APIs of BMW Kun Exclusive.

The list of exposed APIs:

• Event API: enables communication and information sharing between software programs or services.
• Testdrive system API: used to interact with clients and handle the testdriving system.
• Request callback API: enabling third parties to connect with a system or service by requesting a callback.
• BMW Kun Exclusive Whatsapp support API: used to facilitate communication between businesses and their customers on the messaging platform.
• Oauth token endpoint

Exposing API keys, especially when those APIs provide access to confidential or sensitive user data, could lead to data breaches.

Leaking the Testdrive system API may result in data breaches that reveal sensitive data such as contact and data of clients who signed up for test drives with Kun Exclusive BMW. Cybercriminals could use the API to obtain more personal information and carry out identity theft and other fraudulent acts.

Leaking the Whatsapp API poses a risk of threat actors accessing WhatsApp’s support system, leading to data breaches and improper use of the company’s official communication channel.

The exposure of the Request Callback API raises the concern that sensitive data might be exposed or leaked. This is particularly troubling because there’s a high likelihood that the exposed API provides access to clients’ personal data, initially provided to Kun Exclusive BMW for contact purposes.

Insufficiently securing APIs leaves them vulnerable to data manipulation. Leaked keys usually allow attackers to steal, modify, or delete data, posing significant security risks. The exposure of API signatures can have profound implications for the authenticity and integrity of requests sent to an API, as these signatures often serve as a means of verification.

The additional risk of exposed API keys and secrets lies in the attackers potentially exploiting them to disrupt BMW dealership services, employing tactics such as flooding servers with requests (DDoS attacks) or unauthorized alteration of configurations.

If you want to learn more about how BMW Kun Exclusive can mitigate the risks take a look at the original post at:

https://cybernews.com/security/bmw-india-data-leak/

About the author: Paulina Okunytė, Journalist at Cybernews

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, BMW dealer)