Volkswagen data leak through Spring Boot Actuator misconfiguration

Type

Incident

Actors

❓Unknown

Pub. date

December 30, 2024

Initial access

Software misconfig

Impact

Data exfiltration

Observed techniques

Valid creds abuse Credential theft

Observed tools

Subfinder GoBuster

Targeted technologies

Spring Boot Actuator

References

https://media.ccc.de/v/38c3-wir-wissen-wo-dein-auto-steht-volksdaten-von-volkswagen#l=eng&t=0https://www.wiz.io/blog/spring-boot-actuator-misconfigurations

Status

Finalized

Last edited

Jan 8, 2025 1:23 PM

Researchers found a data exposure issue within Volkswagen’s environment by leveraging tools such as Subfinder, GoBuster, and Spring. Using these tools, they found a Java Spring application exposing its Heap dump file. Heap dumps, which list various objects within a Java Virtual Machine (JVM), are typically used for monitoring performance metrics and introspection but can inadvertently expose sensitive information.

In this case, the heap dump contained active AWS credentials stored in plain text.