Critical vulnerability for Mercedes-Benz: GitHub token exposure
Inadvertent exposure of a company token puts Mercedes-Benz's IT security to the test
Mercedes-Benz faced a data leak because an employee exposed a GitHub token, allowing access to important source code. The company responded by revoking the token and strengthening security measures.
In shedding light on recent cybersecurity issues, it emerges that Mercedes-Benz faced a significant vulnerability. RedHunt Labs, operating in the cybersecurity sector, has detected a publicly exposed GitHub token, owned by an employee of the German company. The latter would have allowed full access to company resources encoded on the GitHub server, including essential source code for the company, potentially resulting in massive disclosure of sensitive data.
Consequences of the compromised GitHub token
The public GitHub repository where the token was found contained, among other things, access keys to the Microsoft Azure and Amazon Web Services cloud and the code of the Postgres databases. The token gave an open green light to these elements from September 2023. Mercedes-Benz seized the opportunity by immediately revoking the token and sealing the public repository to contain the potential damage and avoid the dissemination of valuable and confidential information.
The measures taken by Mercedes-Benz
Mercedes-Benz confirmed that the security gap was due to human error by one of its employees and that it has launched a rigorous internal investigation. The company underlines the centrality of data security, ensuring that it will intervene with new cybersecurity policies and strategies to further armor its systems and prevent similar incidents in the future.
Safety incidents in the automotive sector
The Mercedes-Benz case once again raises the issue of data security in the automotive sector. Similarly, Ferrari has recently faced security issues: customer data has been stolen and there have been ransom demands. However, Ferrari has rejected the claims and stated that there is no evidence of direct breaches of its internal systems, nor operational disruptions. Both incidents serve as a wake-up call for the industry, emphasizing the need for even more rigorous and proactive management of online information security.
Follow us on Twitter for more pills like this01/31/2024 14:34
Marco Verro