Get all your news in one place.
100’s of premium titles.
One app.
Start reading
TechRadar
TechRadar
Sead Fadilpašić

Mercedes-Benz source code was exposed by an easier to miss security flaw

Drive Pilot.

Mercedes-Benz had a glaring vulnerability in an open-source repository that exposed its source code, a treasure trove of valuable, sensitive information, and put the company at risk of regulatory fines. Whether or not anyone managed to exploit the flaw before it was found and plugged, remains to be seen.

Cybersecurity researchers from RedHunt Labs found a GitHub repository belonging to a Mercedes employee in late September 2023.

This repository contained a GitHub token which granted access to the company’s internal GitHub Enterprise Server.

Human error

"The GitHub token gave 'unrestricted' and 'unmonitored' access to the entire source code hosted at the Internal GitHub Enterprise Server," RedHunt Labs' report claims. "The incident laid bare sensitive repositories housing a wealth of intellectual property, and the compromised information included database connection strings, cloud access keys, blueprints, design documents, SSO passwords, API keys, and other critical internal information."

The researchers suggest that this was a major mishap that could cost the company dearly. By reverse-engineering the source code, other automakers can uncover the secrets of proprietary tech. Hackers can use the same thing to find flaws, both in the vehicles and in the company itself which, consequently, could lead to cyberattacks such as ransomware. 

Finally, if the repositories held sensitive customer data, data protection watchdogs will have their field day, as well.

However, in a statement given to BleepingComputer, Mercedes says that won’t be the case. 

“We can confirm that source code containing an internal access token was published on a public GitHub repository by human error,” the company said. “This token gave access to a certain number of repositories, but not to the entire source code hosted at the Internal GitHub Enterprise Server. We have revoked the respective token and removed the public repository immediately. Customer data was not affected as our current analysis shows.”

More from TechRadar Pro

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.