Nissan North America leaked source codes for various internal tools and applications after it misconfigured a Git repository, letting hackers access its contents and share them on Telegram and hacker forums.
The misconfigured Git server owned by Nissan North America was spotted by software engineer Tillie Kottmann who told ZDNet that the Git server was secured via a default username and password combination of admin/admin. The server was then accessed by third parties and its contents were reportedly corculating on hacker forums before Nissan closed the leak.
"We are aware of a claim regarding a reported improper disclosure of Nissan's confidential information and source code. We take this type of matter seriously and are conducting an investigation," a representative from Nissan told ZDNet.
The publication revealed that the misconfigured Git server contained source codes for various Nissan NA mobile apps, the vehicle logistics portal, vehicle connected services, Nissan internal core mobile library, various marketing tools, client acquisition and retention tools, some parts of the Nissan ASIST diagnostics tool, and Nissan/Infiniti NCAR/ICAR services.
According to Mark Bower, SVP at comforte AG, the leak of source codes for internal tools and applications is a classic example of the security being only as good as the weakest link – most likely in this case down to both human error and lack of process for risk scanning of critical infrastructure for vulnerable credentials and effective data security.
"The recent Solarwinds situation should have prompted organisations across industry to be revisit their supply chain security, data security and authentication as a matter of priority – including any internet facing or cloud components. Access to code for potential core IoT/connected car applications opens up a raft of potential vulnerability exploits for attackers, if the claims of the full source code dump circulating on twitter are indeed true.
"Connected systems at the edge, including automotive components, are not always simple to update at a firmware level to address new threats, requiring dealership processes. This means any discovered exploits such as vulnerable TCP/IP stacks, credential management and offline authentication methods in the connected path to the vehicle’s bevvy of connected devices may indeed become targets for attacker analysis and compromise, made easier with access to source code," he said.
Back in 2020, Tillie Kottmann also discovered a misconfiguration in the Git web portal of Daimler AG, the automotive company behind the Mercedes-Benz car brand. The misconfiguration allowed him to create an account on Daimler's code-hosting portal and download more than 580 Git repositories containing the source code of onboard logic units (OLUs) installed in Mercedes vans.
According to Kottmann, there wasn’t any account confirmation process in the company's official GitLab server, which allowed him to register an account using a non-existent Daimler corporate email. He was able to download 580 Git repositories from the company's server and made it publicly available by uploading the files in several locations such as file-hosting service MEGA, the Internet Archive, and on his own GitLab server.