Type
Research
Actors
Pub. date
January 26, 2024
Initial access
Exposed secret
Impact
Resp. disclosure
Observed techniques
Credential harvesting from code repository
Targeted technologies
GitHub
References
https://techcrunch.com/2024/01/26/mercedez-benz-token-exposed-source-code-github/
Status
Finalized
Last edited
Jun 30, 2024 10:09 AM
In January 2024, researchers at RedHunt Labs discovered that Mercedes-Benz accidentally included an access token in a one of their public GitHub repositories that granted access to an internal GitHub Enterprise server. This server contained intellectual property as well as credentials for various databases and other services such as Azure and AWS subscriptions. According to Mercedes-Benz, the token was pushed to the public repo in September 2023.