Mercedes source code exposed via GitHub token leak


The leaked GitHub token gave unrestricted access to the carmaker’s source code, exposing intellectual property passwords and cloud access keys.

The Mercedes-Benz GitHub token, owned by an employee of the company, was discovered in a public repository on September 29th. According to researchers at RedHunt Labs, the token gave access to the company’s internal GitHub Enterprise Server.

“The incident laid bare sensitive repositories housing a wealth of intellectual property, and the compromised information included Database Connection Strings, Cloud Access Keys, Blueprints, Design Documents, SSO Passwords, API Keys, and other critical internal information,” said the report.

ADVERTISEMENT

According to the researchers, the exposed token could have allowed attackers to exploit the accessible token in various ways. For example, malicious actors could have accessed Mercedes’ source code, extracting intellectual property, reports, files, credentials, and other valuable information.

According to researchers, while the GitHub token was exposed in September, researchers only discovered it on January 11th, with Mercedes revoking it on the 24th. This means the company’s GitHub Enterprise Server could have been accessed without anyone knowing during a window of several months.

“The leaked GitHub token for Mercedes’s GitHub Enterprise Server opens a gateway for potential adversaries to access and download the entire source code of the organization. Delving into this source code could expose highly sensitive credentials, creating a breeding ground for an extremely serious data breach against Mercedes-Benz,” researchers said.

Mercedes-Benz is among the largest brands of premium vehicles, selling millions of passenger cars every year. The Mercedes brand owner, Mercedes-Benz Group AG, reported revenues exceeding €133 billion ($144 billion). The company employs over 170,000 people.