Due to a mishandled GitHub token, the Mercedes-Benz source code became prone to exploitation. Based on reports, the potential exploit could provide unauthorised individual access to the company’s internal GitHub Enterprise Service and make the source code accessible to the public.
Mercedes-Benz, a famous German car, bus, and truck manufacturer known for its innovation, luxurious designs, and high build quality, employs software in various aspects of its vehicles and services.
These features include safety and control systems, infotainment, autonomous driving, diagnostic and maintenance tools, connectivity and telematics, and electric power and battery management for electric vehicles (EVs).
However, on September 29, 2023, research spotted a GitHub token in a public repository owned by a Mercedes employee. This token granted the researchers access to the company’s internal GitHub Enterprise Server.
The token provided “unrestricted” and “unmonitored” access to the entire source code hosted on the internal server, exposing sensitive repositories with intellectual property, including database connection strings, cloud access keys, blueprints, design documents, single sign-on passwords, API keys, and other crucial internal data.
The potential leaked source code of Mercedes-Benz could result in various conflicts.
The repercussions of such data exposure on Mercedez-Benz can be severe since it could include the risk of competitors reverse-engineering proprietary technology, potential exploitation of vulnerabilities in vehicle systems by hackers, and misuse of exposed API keys leading to unauthorised data access, service disruptions, and malicious use of the company’s infrastructure.
In addition, there are concerns about potential legal violations, such as GDPR infringement, if the exposed repositories contained customer data.
On the other hand, researchers notified Mercedes-Benz about the token leak earlier this year. The report prompted the company to revoke the token to prevent further access and abuse. This incident resembles a security lapse at Toyota in October 2022, where personal customer data remained publicly accessible for five years due to an exposed GitHub access key.
Furthermore, Mercedes-Benz confirmed that the exposed source code contained an internal access token, inadvertently published on a public GitHub repository due to human error. While the token granted access to specific repositories, it did not expose the entire source code hosted on the Internal GitHub Enterprise Server.
Mercedes-Benz has also promptly revoked the token, removed the public repository, and assured customer data was unaffected based on their current analysis. As of now, the company has refused to provide additional technical details for security reasons but assured everyone that they are willing to collaborate with researchers worldwide through its vulnerability disclosure program.
