Swiss researchers who had previously discovered exposed source code owned by Mercedes-Benz announced that they had received a tip to exposed source code belonging to automobile maker Nissan. The exposed BitBucket server used the default credentials of admin/admin, allowing anyone with knowledge of the server to access source code to Nissan NA mobile apps, diagnostic tools, dealer portals, and other internal tools. The repository has since been brought down but is making rounds on various Telegram channels and hacker forums, shared via torrent links. Nissan has since responded to the disclosure and is investigating.
Analyst Notes
Protecting valuable assets such as internal source code should be a high priority to organizations, especially to those that rely on it for sensitive operations. Attackers have on multiple occasions drawn out long campaigns to take advantage of such vulnerabilities like the use of default credentials, and it is possible for attackers to plant backdoors or add other vulnerabilities when they have administrative access to source control servers. API keys and other authentication tokens should never be stored in source code, but attackers with access to source control servers can review prior versions of the code to find sensitive information that was previously identified and removed. In a broader sense, new implementations of any technology, not just source version control, need security in mind from the start to help prevent high-value exposures such as this. Lastly, understanding where sensitive technologies are located can be equally crucial as source control can be behind various authentication and authorization controls to verify that the right users are allowed to access sensitive information.
Resources and References:
https://www.zdnet.com/article/nissan-source-code-leaked-online-after-git-repo-misconfiguration/
