A company spokesperson said that a human error caused the leak, leaving the token in an exposed repository in September 2023. UK-based RedHunt Labs discovered it during a standard scan last month.
Security researchers often scan the web to find unprotected servers or leaked secrets of major industry giants.
The token provided “unrestricted and unmonitored” access to blueprints, design documents and other crucial internal information belonging to the German car company.
Shubham Mittal, RedHunt’s co-founder, said the server hosted cloud access keys, API keys and additional passwords, which criminals could have used disrupt the company’s IT infrastructure.
The private key would have given cybercriminals total access to the manufacturer’s own GitHub Enterprise Server.
Mittal said the unsafe repositories also exposed keys for Microsoft Azure and Amazon Web Services servers; a Postgres database; and the source code for Mercedes Benz software. However, all customer data is secure.
The security company confirmed the incident to TechCrunch, after which it also reported the issue to Mercedes-Benz. The company almost immediately revoked the unrestricted API token and scrapped the public repository.
While RedHunt was the first to share its findings about the repository, we don’t know if it was the only party to locate the leaked key.
Following an internal investigation, Mercedes Benz has put extra “remedial measures” in place, but hasn’t found any trace of cybercriminals abusing its IT secrets.
Wanda Parisien is a computing expert who navigates the vast landscape of hardware and software. With a focus on computer technology, software development, and industry trends, Wanda delivers informative content, tutorials, and analyses to keep readers updated on the latest in the world of computing.
