A mishandled GitHub token exposed Mercedes-Benz source code

A Mishandled GitHub Token Exposes Mercedes-Benz Source Code

Mercedes-Benz, renowned for its history of innovation, luxurious designs, and top build quality, faced a critical security incident. A GitHub token, mistakenly exposed in a public repository by a Mercedes employee, granted unrestricted access to the company's internal GitHub Enterprise Server.

The leaked token provided unmonitored access to the entire source code, including sensitive repositories housing intellectual property. Among the compromised information were database connection strings, cloud access keys, blueprints, design documents, SSO passwords, and API keys.

The consequences of this exposure are severe. Competitors could reverse-engineer proprietary technology, and hackers might exploit vulnerabilities in vehicle systems. Additionally, exposed API keys could lead to unauthorized data access, service disruptions, and misuse of the company's infrastructure.

RedHunt Labs also raises concerns about potential legal violations, such as GDPR infringement if customer data was present in the exposed repositories. However, the exact contents of the files remain unverified.