Mercedes-Benz Data Leak Lesson: Lock Down Code Repositories

Several lessons here: 1. Don’t allow keys and credentials to be store in git repos; 2. Be careful who you grant access. Verify everything…:

Don’t forget to lock down online shared code repositories, as Mercedes-Benz parent company Daimler AG learned the hard way after a researcher was able to access nearly 9 GB of software development documentation from a misconfigured GitLab repository.

As first reported by ZDNet, the data exposure, which first came to light last week, comprised more than 580 repositories in GitLab, the web-based tool for software development collaboration.

Daimler’s problem here was embarrassing, but endurable. It may not be next time, which is why organizations should not forget the basic access controls when using code repositories.

The data was found by Swiss-based software developer and security researcher Till Kottmann.

He discovered Daimler’s GitLab pages by using hyper-specific Google searches, sometimes referred to as Google dorking. He created an account and found that Daimler AG didn’t verify that he had a control of an email account within domain that the company had sanctioned to join the GitLab pages.

Thus he had complete access. Kottmann then republished the data via Mega, the online storage platform, and on other outlets. He didn’t notify Daimler AG prior to doing this, which is contrary to the grace period most security researchers give companies in order to rectify a software vulnerability or data leak.

Credentials Leaked

The mistake by Daimler was a simple one: it should have made Kottmann verify he owned an authorized email address before granting access. This kind of inattentiveness to access controls or settings, whether it could be GitLab pages to Elasticsearch clusters, has led to big data breaches.

There were also passwords and API keys in the repositories, which ZDNet reported were found by threat intelligence firm Under the Breach. Kottmann says he didn’t realize that the data also included that type of information.

[…]

Original article here