UPDATED 20:38 EDT / MAY 18 2020

SECURITY

Mercedes-Benz source code exposed via misconfigured Git registration system

The source code used in smart car components designed by Mercedes-Benz has been found exposed online via a misconfigured Git registration system.

Discovered by software engineer Till Kottmann and first reported today by ZDNet, the source code was found on a Git web portal belonging to Mercedes-Benz’s parent company Daimler AG. Kottman was able to freely register an account on the portal, then download 580 Git repositories that included the source code belonging to Mercedes vans.

The repository itself was found via Google search. Kottmann said he often hunts for interesting GitLab instances and was lucky to stumble across this one.

Although the data primarily included information relating to the smart car component, further analysis also found passwords and application programming interface tokens for Daimler’s internal systems. The Git repositories have since been taken offline.

“In this GitLab instance, bad actors could register an account on Daimler’s code-hosting portal and download over 580 Git repositories containing the Mercedes source code and sell that information to the company’s competitors,” Chris DeRamus, vice president of technology, cloud security practice at  security operations firm Rapid7 Inc., told SiliconANGLE. “Additionally, hackers could leverage the exposed passwords and API tokens of Daimler’s systems to access and steal even more of the company’s sensitive information.”

The exposure highlights how developers and security teams must work toward proactively identifying compliance and security issues before cloud resources are deployed, he added. “Instead of primarily relying on runtime security, organizations should ‘shift left’ by taking preventative measures early on in their continuous integration and continuous delivery (CI/CD) pipelines,” he said. “Such a proactive approach will allow organizations to prevent security issues from occurring and will enable security teams to catch misconfigurations before leaks occur.”

Lior Levy, co-founder and chief executive officer of source code management and security firm Cycode Ltd., noted that this shows once again that source code remains a critical unprotected asset in organizations.

“The fact that such a major component’s source code and all the classified corporate data it entails was leaked from an on-premise server, proves the need for a dedicated system protecting it,” Levy said. “The exposed repository, which contained both API tokens and passwords as well as the technical configuration and source code, can be used by attackers for vulnerability research, and for a targeted attack against the corporate infrastructure.”

Photo: Vauxford/Wikimedia Commons

A message from John Furrier, co-founder of SiliconANGLE:

Show your support for our mission by joining our Cube Club and Cube Event Community of experts. Join the community that includes Amazon Web Services and soon to be Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger and many more luminaries and experts.

Join Our Community 

We are holding our second cloud startup showcase on June 16. Click here to join the free and open Startup Showcase event.

 

“TheCUBE is part of re:Invent, you know, you guys really are a part of the event and we really appreciate your coming here and I know people appreciate the content you create as well” – Andy Jassy

We really want to hear from you. Thanks for taking the time to read this post. Looking forward to seeing you at the event and in theCUBE Club.