In a recent security lapse, Mercedes-Benz inadvertently exposed a wealth of internal data when a private key, providing “unrestricted access” to the company’s source code, was found in a public GitHub repository.
Details about the Mercedes-Benz data exposure
During an internet scan in January 2024, a threat hunter at RedHunt Labs stumbled upon a Mercedes employee’s authentication token in GitHub. Authentication tokens work as alternatives to traditional passwords for GitHub authentication.
The discovered token granted full access to Mercedes’ GitHub Enterprise Server, allowing unrestricted downloads of the company’s private source code repositories.
The researcher explained the severity of the situation, stating:
“The GitHub token gave ‘unrestricted’ and ‘unmonitored’ access to the entire source code hosted at the internal GitHub Enterprise Server. The repositories include a large amount of intellectual property… connection strings, cloud access keys, blueprints, design documents, [single sign-on] passwords, API Keys, and other critical internal information.”
Among the exposed data, they found Microsoft Azure and Amazon Web Services (AWS) keys, a Postgres database, and Mercedes source code. No customer data was mentioned in the findings.
Following the leak announcement, a spokesperson for Mercedes confirmed that the company promptly took action by revoking the API token and removing the public repository. They attributed the incident to human error and stated that they, “…Will continue to analyze this case according to normal processes [and] implement remedial measures.”
It is unclear whether anyone else found the exposed key, which was published in late September 2023.
Continuous data discovery & protection in GitHub
The Mercedes-Benz data exposure highlights the need for continuous data discovery and protection in GitHub. Human error during the development lifecycle will not go away. One vulnerable line of code can give threat actors access to company infrastructure and sensitive information.
Manually checking each repository for potential leaks is impractical and error-prone. To address the challenge and prevent sensitive data exposure, we recommend the following mitigations for organizations using GitHub:
- Adopt CLI best practices: Remove hardcoded usernames, passwords, API keys, and OAuth tokens from code samples by implementing coding practices that rely on variables and command-line interface (CLI) arguments.
- Implement zero trust: Use zero trust to employ the principle of least privilege across repositories.
- Mandate multi-factor authentication: Limit the fallout of exposed passwords by mandating multi-factor authentication across employee accounts.
- Create an internal policy: Reduce the risks of human error by establishing a clear policy for GitHub usage.
- Invest in DLP software: Data loss prevention (DLP) tools can proactively discover and protect passwords, secrets, and other sensitive data exposed within your code.
By incorporating these measures into development practices, organizations can significantly reduce the risks associated with human error and enhance the overall security of their code repositories.
For further guidance, read our GitHub best practices.