Mercedes-Benz accidentally exposed sensitive data, including source code

Pierluigi Paganini January 29, 2024

Researchers discovered that Mercedes-Benz accidentally left a private key online exposing internal data, including the company’s source code.

RedHunt Labs researchers discovered that Mercedes-Benz unintentionally left a private key accessible online, thereby exposing internal data, including the company’s source code. It’s unclear if the data leak exposed customer data,

RedHunt Labs shared its findings with TechCrunch and with the help of the media outlet notified the car maker. The security firm discovered that an authentication token belonging to a Mercedes employee was left exposed in a public GitHub repository. The discovery was made during a routine internet scan in January.

The disclosed token had the potential to provide unrestricted access to Mercedes’s GitHub Enterprise Server, enabling anyone to retrieve the company’s private source code repositories.

“The GitHub token gave ‘unrestricted’ and ‘unmonitored’ access to the entire source code hosted at the internal GitHub Enterprise Server,” Shubham Mittal, co-founder and chief technology officer of RedHunt Labs, told TechCrunch. “The repositories include a large amount of intellectual property… connection strings, cloud access keys, blueprints, design documents, [single sign-on] passwords, API Keys, and other critical internal information.”

Mittal presented TechCrunch with proof verifying the existence of Microsoft Azure and Amazon Web Services (AWS) credentials, a Postgres database, and Mercedes source code in

The exposed repositories included Microsoft Azure and Amazon Web Services (AWS) credentials, a Postgres database, and Mercedes source code.

Once Mercedes became aware of the data leak, it revoked the exposed token and removed the public repository.

TechCrunch disclosed the security issue to Mercedes on Monday. On Wednesday, Mercedes spokesperson Katja Liesenfeld confirmed that the company “revoked the respective API token and removed the public repository immediately.”

“We can confirm that internal source code was published on a public GitHub repository by human error,” Mercedes spokesperson Katja Liesenfeld told TechCrunch. “The security of our organization, products, and services is one of our top priorities.” “We will continue to analyze this case according to our normal processes. Depending on this, we implement remedial measures.”

Your sentence is well-written. However, for a slight improvement in clarity, you might consider the following revision:

The investigation into the breach revealed that the token had been exposed online since late September 2023. However, it remains unclear whether other actors gained unauthorized access to the carmaker’s data.

“Mercedes declined to say whether it is aware of any third-party access to the exposed data or whether the company has the technical ability, such as access logs, to determine if there was any improper access to its data repositories. The spokesperson cited unspecified security reasons.” concludes TechCrunch.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Mercedes)



you might also like

leave a comment