UPDATED 20:38 EST / MAY 18 2020


Mercedes-Benz source code exposed via misconfigured Git registration system

The source code used in smart car components designed by Mercedes-Benz has been found exposed online via a misconfigured Git registration system.

Discovered by software engineer Till Kottmann and first reported today by ZDNet, the source code was found on a Git web portal belonging to Mercedes-Benz’s parent company Daimler AG. Kottman was able to freely register an account on the portal, then download 580 Git repositories that included the source code belonging to Mercedes vans.

The repository itself was found via Google search. Kottmann said he often hunts for interesting GitLab instances and was lucky to stumble across this one.

Although the data primarily included information relating to the smart car component, further analysis also found passwords and application programming interface tokens for Daimler’s internal systems. The Git repositories have since been taken offline.

“In this GitLab instance, bad actors could register an account on Daimler’s code-hosting portal and download over 580 Git repositories containing the Mercedes source code and sell that information to the company’s competitors,” Chris DeRamus, vice president of technology, cloud security practice at  security operations firm Rapid7 Inc., told SiliconANGLE. “Additionally, hackers could leverage the exposed passwords and API tokens of Daimler’s systems to access and steal even more of the company’s sensitive information.”

The exposure highlights how developers and security teams must work toward proactively identifying compliance and security issues before cloud resources are deployed, he added. “Instead of primarily relying on runtime security, organizations should ‘shift left’ by taking preventative measures early on in their continuous integration and continuous delivery (CI/CD) pipelines,” he said. “Such a proactive approach will allow organizations to prevent security issues from occurring and will enable security teams to catch misconfigurations before leaks occur.”

Lior Levy, co-founder and chief executive officer of source code management and security firm Cycode Ltd., noted that this shows once again that source code remains a critical unprotected asset in organizations.

“The fact that such a major component’s source code and all the classified corporate data it entails was leaked from an on-premise server, proves the need for a dedicated system protecting it,” Levy said. “The exposed repository, which contained both API tokens and passwords as well as the technical configuration and source code, can be used by attackers for vulnerability research, and for a targeted attack against the corporate infrastructure.”

Photo: Vauxford/Wikimedia Commons

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy