Many people enjoyed this previously posted post, so I came up with another similar story. The main character of this story is surprisingly Mercedes-Benz. Mercedes-Benz has taken steps to participate in several open source projects or provide a certain level of access through its official GitHub.
However, the Mercedes employee's authentication token was recently uploaded to a public repository on GitHub. The token gave full access to Mercedes' GitHub Enterprise Server and allowed downloading of the company's source code repository. (It is said that there was an entire code source that managed Mercedes-Benz's battlefield.)
According to Shubham Mittal, who first discovered and reported this, the token gave "unrestricted" access to the entire source code hosted on Mercedes' internal GitHub Enterprise Server, which contained intellectual property, connection strings, and cloud access. It contained sensitive internal information, including keys, schematics, design documents, single sign-on (SSO) passwords, and API keys.
What's a bit funny is that Mittal didn't report this to Mercedes-Benz, but reported it to the media. Mercedes-Benz, who learned of this fact through media reports, officially announced that it had "revoked the API token and immediately removed the public repository," and admitted that "the internal source code was accidentally published in the public GitHub repository." And they announced in a statement that they would pay more attention to security in the future.
In fact, in some ways, I think the only victim was Mercedes-Benz... but it is an amazing true story, both from the person who uploaded the main token to Github and the person who discovered it and immediately reported it to the media. Personally, if I were Mittal, I would have reported the information to Mercedes-Benz and given them a security solution, which would have been worth more than just one Mercedes. The reason I think this is because Mittal is the CTO of RedHunt Lab, an IT security solutions company. 😂
