What if the authentication key was accidentally uploaded as a comment on our company's official GitHub? (True story)

Haebom

Jan 30, 20242y ago

1990년 1월 15일, AT&T의 뉴저지 운영 센터는 네트워크 디스플레이에서 많은 광범위한 시스템 오작동을 감지했습니다.(AT&T는 한국으로 따지면 KT, SKT, LG U+과 같은 통신사 입니다.) 이로 인해 전화 서비스가 중단되고, AT&T 네트워크의 절반에 해당하는 통화 연결이 실패했습니다. 이 사건은 6만명 이상의 미국인에게 전화 서비스 중단을 초...

haebom.dev

So many people found the previous post entertaining that I decided to bring you another story along the same lines. The star of this story is—surprisingly—Mercedes-Benz. Mercedes-Benz has participated in a few open source projects and granted certain levels of access through their official GitHub.

Mercedes-Benz Group

Central github.com organizational account of the Mercedes-Benz Group. Please also check out our FOSS Landing Page. - Mercedes-Benz Group

github.com

But recently, an employee's authentication token was left exposed in one of Mercedes' public GitHub repositories. This token provided full access to the company's GitHub Enterprise Server and allowed anyone to download the company's source code repositories. (It supposedly included all the code managing the entire Mercedes-Benz lineup.)

According to Shubham Mittal, who first found and reported this, the token allowed “unrestricted” access to all source code hosted on Mercedes’ internal GitHub Enterprise Server. That repository contained a trove of sensitive internal information, including intellectual property, connection strings, cloud access keys, schematics, design documents, SSO passwords, API keys, and more.

How a mistakenly published password exposed Mercedes-Benz source code | TechCrunch

Mercedes accidentally exposed a trove of sensitive data after a leaked security key gave “unrestricted access” to company’s source code.

techcrunch.com

The funny thing is, instead of notifying Mercedes-Benz, Mittal tipped off the media. Mercedes-Benz only found out through news coverage and then announced that they had “revoked the API token and immediately took down the public repository,” admitting that “internal source code was mistakenly posted to a public GitHub repository.” They also issued a statement promising to take greater care in security moving forward.

Honestly, perhaps the only real victim here is Mercedes-Benz... It’s one of those incredible true stories, from the person who accidentally uploaded the main token to GitHub to the person who spotted it and immediately reported it to the media. If I were Mittal, I can’t help but think that reporting it directly to Mercedes-Benz and maybe offering them some security solutions would probably be worth more than a Benz or two! The reason I think like this? Mittal is the CTO of the IT security solution company RedHunt Lab. 😂

Subscribe to 'haebom'

📚 Welcome to Haebom's archives.
---
I post articles related to IT 💻, economy 💰, and humanities 🎭.
If you are curious about my thoughts, perspectives or interests, please subscribe.
haebom@kakao.com