Pierluigi Paganini April 25, 2023

Peugeot, a French brand of automobiles owned by Stellantis, exposed its users in Peru, a South American country with a population of nearly 34 million.

A brand, best known for its lion roaring for over a century, has leaked access to its user data in Peru.

And while the country is not that big of a market for the car maker, this discovery is yet another example of how big and well-known brands fail to secure sensitive data.

Peruvian data leak

On February 3rd, the Cybernews research team discovered an exposed environment file (.env) hosted on the official Peugeot store for Peru.

The exposed file contained:

• Full MySQL database Uniform Resource Identifier (URI) – a unique sequence of characters that identifies a resource – as well as username and password to access it;
• JSON Web Token’s (JWT) passphrase and locations of private and public keys;
• A link to the git repository for the site;
• Symfony application secret.

Combined, the leaked information could be used to compromise the dataset and the website.

Judging from its username, MySQL was used to store user information. The company has also leaked the credentials needed to access the dataset. An attacker could use this data to log in, exfiltrate, or modify the dataset’s contents.

The passphrase for JWT, an industry standard used to share information between two entities, was very weak and easily guessable. The private certificate, used in combination with the passphrase, was also stored on the same server.

The leaked Symphony application secret could have been used to decrypt previously encrypted data such as user cookies and session IDs. If exposed, such information could enable the threat actor to impersonate a victim and access applications illegitimately.

The link to the git repository could be used in social engineering attacks against the platform developers to gain access to the repository, and in turn, steal the source code of the site.

“The way the environment file was configured also shows a lack of expertise and understanding of how to develop applications securely. User information from a breach like this is very valuable to malicious actors, as car owners or future car owners are more likely to have more savings and are therefore a bigger target for malicious actors,” Cybernews researchers said.

If you want to know how big the impact of the data leak is, give a look at the original post at

https://cybernews.com/security/peugeot-user-data-leak-south-america/

About the author: Jurgita Lapienytė, Chief Editor at CyberNews

Please vote for Security Affairs (https://securityaffairs.com/) as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections:

• The Teacher – Most Educational Blog
• The Entertainer – Most Entertaining Blog
• The Tech Whizz – Best Technical Blog
• Best Social Media Account to Follow (@securityaffairs)

Please nominate Security Affairs as your favorite blog.

Nominate here: https://docs.google.com/forms/d/e/1FAIpQLSfaFMkrMlrLhOBsRPKdv56Y4HgC88Bcji4V7OCxCm_OmyPoLw/viewform

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Peugeot)