Mercedes accidentally shared trade secrets with the world
It turns out that Mercedes-Benz accidentally shared its source code and trade secrets with the world. The information discovered on GitHub was reportedly the result of simple human error.
Security researchers regularly scour the internet in search of vulnerable servers or exposed “secrets” of major industry players. UK-based security company RedHunt Labs’ scan uncovered a GitHub repository containing Mercedes-Benz source code and trade secrets.
According to RedHunt co-founder Shubham Mittal, the authentication token found on GitHub could have been used to gain “unfettered access” to the German automotive giant’s trade secrets and other important authentication information. Although RedHunt identified the compromised authentication token during a routine internet scan in January, the token itself was published in September 2023. Malicious actors or cybercriminals could have used the private key to gain full access to a GitHub Enterprise Server belonging to Mercedes-Benz.
A simple but critical human error
The volume and sensitivity of the data stored on the server in question is said to be truly staggering. The GitHub token provided unrestricted and unmonitored access to a large amount of Mercedes-Benz intellectual property files, including blueprints, design documents and other “critical” internal information. RedHunt Labs emphasized that the server also hosted cloud access keys, API keys and additional passwords, which could have been used to disrupt the automaker’s entire IT infrastructure, creating an unprecedented and chaotic situation.
Even worse, RedHunt Labs confirmed (with evidence) that the insecure repositories exposed keys to Microsoft Azure and Amazon Web Services (AWS) servers, a Postgres database and even the source code of Mercedes-Benz software. Perhaps the only positive aspect of the incident is that none of the affected servers contained customer data.
A spokesperson for Mercedes-Benz soon confirmed that the unlimited API token was revoked and the public repository was immediately removed. The automaker’s internal source code was accidentally published on a public GitHub server due to human error, the spokesperson said.
The uncontrolled token remained publicly available for months, but so far there is no evidence that malicious actors or cybercriminals were able to discover and misuse the secret to jeopardize Mercedes-Benz’s business.