Peugeot leaks access to user information in South America

Published: 24 April 2023
Last updated: 25 April 2023
Peugeot research featured pic
Cybernews/Shutterstock

Peugeot, a French brand of automobiles owned by Stellantis, exposed its users in Peru, a South American country with a population of nearly 34 million.

A brand, best known for its lion roaring for over a century, has leaked access to its user data in Peru.

ADVERTISEMENT

And while the country is not that big of a market for the car maker, this discovery is yet another example of how big and well-known brands fail to secure sensitive data.

Peruvian data leak

On February 3rd, the Cybernews research team discovered an exposed environment file (.env) hosted on the official Peugeot store for Peru.

The exposed file contained:

  • Full MySQL database Uniform Resource Identifier (URI) – a unique sequence of characters that identifies a resource – as well as username and password to access it;
  • JSON Web Token’s (JWT) passphrase and locations of private and public keys;
  • Symfony application secret.
ADVERTISEMENT
Peugeot data leak proof

Combined, the leaked information could be used to compromise the dataset and the website.

Judging from its username, MySQL was used to store user information. The company has also leaked the credentials needed to access the dataset. An attacker could use this data to log in, exfiltrate, or modify the dataset’s contents.

The passphrase for JWT, an industry standard used to share information between two entities, was very weak and easily guessable. The private certificate, used in combination with the passphrase, was also stored on the same server.

The leaked Symphony application secret could have been used to decrypt previously encrypted data such as user cookies and session IDs. If exposed, such information could enable the threat actor to impersonate a victim and access applications illegitimately.

The link to the git repository could be used in social engineering attacks against the platform developers to gain access to the repository, and in turn, steal the source code of the site.

“The way the environment file was configured also shows a lack of expertise and understanding of how to develop applications securely. User information from a breach like this is very valuable to malicious actors, as car owners or future car owners are more likely to have more savings and are therefore a bigger target for malicious actors,” Cybernews researchers said.

How big is the impact?

Stellantis, a major player in the automotive industry worldwide, manufactures and sells primarily Fiat, Jeep, Peugeot and Citroen brands in South America, with Argentina and Brazil being its largest markets in the region.

Judging from its latest financial report, the rest of South America is not that big of a market for the automotive giant.

ADVERTISEMENT

However, this leak is significant as it shows that large, well-known, and trusted brands can have severely insecure configurations, allowing attackers to breach their systems to steal user data or move laterally into other systems within the company.

Unfortunately, the Peugeot leak, discovered by the Cybernews research team, is not that unique.

Recently, we discovered data leaks by other major car manufacturers, including BMW and Toyota.

The evidence that your car is a new smart device, therefore vulnerable to being hacked, is piling up, and we believe that car manufacturers and their partners have a bigger responsibility than ever to secure their vehicles.

Share
Post
Share
Share
Share
More from Cybernews
By participating in this viral trend, you help train AI where it struggles the most
Windows hibernation may contribute to SSD wear as storage costs rise
UFO skeptic Michael Shermer apologizes to David Grusch
Man tries to make a sale on Facebook Marketplace, gets scammed out of $300 via Zelle
Critical FFmpeg flaw discovered: just watching a video can fully compromise your system
The world's top intelligence alliance: AI could supercharge cyberattacks within months
ADVERTISEMENT