What if the authentication key is posted as a comment on our company's official Github? (true story)

Haebom

Jan 30, 20248m

Created by

Haebom

Created at

2024/01/30 6:55 PM

코드 한 줄로 800억 손실을 본 이야기 (실화) - 해봄의 잡동사니

1990년 1월 15일, AT&T의 뉴저지 운영 센터는 네트워크 디스플레이에서 많은 광범위한 시스템 오작동을 감지했습니다.(AT&T는 한국으로 따지면 KT, SKT, LG U+과 같은 통신사 입니다.) 이로 인해 전화 서비스가 중단되고, AT&T 네트워크의 절반에 해당하는 통화 연결이 실패했습니다. 이 사건은 6만명 이상의 미국인에게 전화 서비스 중단을 초...

haebom.dev

Many people enjoyed this previous post, so I brought you another similar story. The main character of this story is surprisingly Mercedes-Benz. Mercedes-Benz has shown some actions through their official GitHub, such as participating in some open source projects or opening up some level of access.

Mercedes-Benz Group

Central github.com organizational account of the Mercedes-Benz Group. Please also check out our FOSS Landing Page. - Mercedes-Benz Group

github.com

However, recently, a Mercedes employee’s authentication token was found in a public GitHub repository. This token granted full access to Mercedes’ GitHub Enterprise Server, allowing them to download the company’s source code repository (the entire code source that manages Mercedes-Benz’s entire fleet).

According to Shubham Mittal, who first discovered and reported the breach, the token granted “unrestricted” access to the full source code hosted on Mercedes’ internal GitHub Enterprise Server, which contained sensitive internal information such as intellectual property, connection strings, cloud access keys, schematics, design documents, single sign-on passwords, and API keys.

How a mistakenly published password exposed Mercedes-Benz source code | TechCrunch

Mercedes accidentally exposed a trove of sensitive data after a leaked security key gave “unrestricted access” to company’s source code.

techcrunch.com

What’s a bit funny is that Mittal didn’t report this to Mercedes-Benz, but to the press. After finding out about this through a press report, Mercedes-Benz officially announced that they “revoked the API token and immediately removed the public repository,” and admitted that “internal source code was accidentally published to a public GitHub repository.” They also stated that they would be more careful about security in the future.

In fact, in some ways, the only victim seems to be Mercedes-Benz... It's an amazing true story, both from the person who uploaded the main token to Github to the person who discovered it and reported it to the media. Personally, if I were Mittal, I think reporting it to Mercedes-Benz and providing them with security solutions would have been worth more than one Benz. The reason I think this way is because Mittal is the CTO of RedHunt Lab, an IT security solution company. 😂

Subscribe to 'haebom'

📚 Welcome to Haebom's archives.
---
I post articles related to IT 💻, economy 💰, and humanities 🎭.
If you are curious about my thoughts, perspectives or interests, please subscribe.
Would you like to be notified when new articles are posted? 🔔 Yes, that means subscribe.
haebom@kakao.com

See all

HaebomFeb 1

HaebomJan 31

HaebomJan 30