Mercedes-Benz source code was exposed by an easier to miss security flaw

Drive Pilot
(Image credit: Mercedes-Benz)

Mercedes-Benz had a glaring vulnerability in an open-source repository that exposed its source code, a treasure trove of valuable, sensitive information, and put the company at risk of regulatory fines. Whether or not anyone managed to exploit the flaw before it was found and plugged, remains to be seen.

Cybersecurity researchers from RedHunt Labs found a GitHub repository belonging to a Mercedes employee in late September 2023.

This repository contained a GitHub token which granted access to the company’s internal GitHub Enterprise Server.

Human error

"The GitHub token gave 'unrestricted' and 'unmonitored' access to the entire source code hosted at the Internal GitHub Enterprise Server," RedHunt Labs' report claims. "The incident laid bare sensitive repositories housing a wealth of intellectual property, and the compromised information included database connection strings, cloud access keys, blueprints, design documents, SSO passwords, API keys, and other critical internal information."

The researchers suggest that this was a major mishap that could cost the company dearly. By reverse-engineering the source code, other automakers can uncover the secrets of proprietary tech. Hackers can use the same thing to find flaws, both in the vehicles and in the company itself which, consequently, could lead to cyberattacks such as ransomware. 

Finally, if the repositories held sensitive customer data, data protection watchdogs will have their field day, as well.

However, in a statement given to BleepingComputer, Mercedes says that won’t be the case. 

“We can confirm that source code containing an internal access token was published on a public GitHub repository by human error,” the company said. “This token gave access to a certain number of repositories, but not to the entire source code hosted at the Internal GitHub Enterprise Server. We have revoked the respective token and removed the public repository immediately. Customer data was not affected as our current analysis shows.”

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.