Critical vulnerability for Mercedes-Benz: GitHub token exposure

In shedding light on recent cybersecurity issues, it emerges that Mercedes-Benz faced a significant vulnerability. RedHunt Labs, operating in the cybersecurity sector, has detected a publicly exposed GitHub token, owned by an employee of the German company. The latter would have allowed full access to company resources encoded on the GitHub server, including essential source code for the company, potentially resulting in massive disclosure of sensitive data.

Consequences of the compromised GitHub token

The public GitHub repository where the token was found contained, among other things, access keys to the Microsoft Azure and Amazon Web Services cloud and the code of the Postgres databases. The token gave an open green light to these elements from September 2023. Mercedes-Benz seized the opportunity by immediately revoking the token and sealing the public repository to contain the potential damage and avoid the dissemination of valuable and confidential information.

The measures taken by Mercedes-Benz

Mercedes-Benz confirmed that the security gap was due to human error by one of its employees and that it has launched a rigorous internal investigation. The company underlines the centrality of data security, ensuring that it will intervene with new cybersecurity policies and strategies to further armor its systems and prevent similar incidents in the future.

Safety incidents in the automotive sector

The Mercedes-Benz case once again raises the issue of data security in the automotive sector. Similarly, Ferrari has recently faced security issues: customer data has been stolen and there have been ransom demands. However, Ferrari has rejected the claims and stated that there is no evidence of direct breaches of its internal systems, nor operational disruptions. Both incidents serve as a wake-up call for the industry, emphasizing the need for even more rigorous and proactive management of online information security.