A password is mistakenly published, source code, blueprints and more once at risk

We blogged about Hyundai India and their bug which they said was never a bug.

Now, its Mercedes-Benz turn to figure out what’s going on.

Mercedes-Benz accidentally exposed a trove of internal data after leaving a private key online that gave “unrestricted access” to the company’s source code, according to the security research firm that discovered it.

These mistakes can happen, but Git Hub is one of the biggest code repository sites out there on the Internet, and these mistakes could be detremental to the way you do business.

Shubham Mittal, co-founder and chief technology officer of RedHunt Labs, alerted TechCrunch to the exposure and asked for help in disclosing to the car maker. The London-based cybersecurity company said it discovered a Mercedes employee’s authentication token in a public GitHub repository during a routine internet scan in January.

According to Mittal, this token — an alternative to using a password for authenticating to GitHub — could grant anyone full access to Mercedes’s GitHub Enterprise Server, thus allowing the download of the company’s private source code repositories.

So they’re using the better of the security options out there, and yes, the article does state that they revoked the appropriate credentials, but how long was it really out there for? I guess we’ll never know.

I would be doing my best to make sure if i were using the site that way that I do not publish keys and proprietary things that should not be published. I understand mistakes happen, and like the other night, I was looking for something, found one thing and said I’d deal with finding the other once I was more awake and could deal with learning how to navigate said web site.

“We can confirm that internal source code was published on a public GitHub repository by human error,” Liesenfeld said in a statement to TechCrunch. “The security of our organization, products, and services is one of our top priorities.”

Let’s make sure that we train our employees not to do that one again!

To read the full Tech Crunch story, thanks to Deva On Breaches, read How a mistakenly published password exposed Mercedes-Benz source code and thanks so much for reading!