A security researcher discovered a misconfiguration in a Git web portal belonging to Daimler AG, the German automotive company behind the Mercedes-Benz brand. The researcher was able to access, download and leak over 580 Git repositories containing the source code for “smart car” components installed in Mercedes vans. The leaked projects also included Raspberry Pi images, server images, internal Daimler components for managing remote OLUs, internal documentation, code samples, and passwords and API tokens to Daimler’s systems.
Misconfigured security settings is the top culprit behind many major data leaks and breaches. In fact, the number of records exposed by cloud misconfigurations rose by 80% in 2019. In this GitLab instance, bad actors could register an account on Daimler\’s code-hosting portal and download over 580 Git repositories containing the Mercedes source code and sell that information to the company’s competitors. Additionally, hackers could leverage the exposed passwords and API tokens of Daimler’s systems to access and steal even more of the company’s sensitive information.
Without a proactive approach to security, companies open themselves up to undue risk. Most organizations rely on detecting risks and misconfigurations in the cloud at runtime (after provisioning or creation) instead of preventing them during the build process, which increases security and compliance risks significantly. It also interferes with productivity, as developers have to spend their time addressing the issues.
Daimler’s exposure of their Git repositories highlights how developers and security teams must work towards proactively identifying compliance and security issues before cloud resources are deployed. Instead of primarily relying on runtime security, organizations should “shift left” by taking preventative measures early on in their continuous integration and continuous delivery (CI/CD) pipelines. Such a proactive approach will allow organizations to prevent security issues from occurring and will enable security teams to catch misconfigurations before leaks occur.