В ходе проведённого компанией RedHunt Labs сканирования утечек конфиденциальных данных в репозиториях GitHub была Identified Publication in the public repository of the API-Token repository, which allows you to get unlimited access to the internal repositories of the Mercedes-Benz company, located on the internal server based on the Gitububub Enterprise Server platform. It is assumed that the token was accidentally published by one of the employees of Mercedes-Benz among the code located in the public repository on Github.
Token is in the repository from September 29, 2023 and was identified on January 11, 2024. After informing the company on the incident on January 24, the token was withdrawn. According to the representatives of Mercedes-Benz, using the open token, it was possible to access not all the source code placed on the server, but only to individual internal repositories of the company. At the same time, in a statement by researchers who identified token, it is said that in internal repositories that could be connected using the found token, there are a closed technical documentation and information representing commercial secrets, as well as confidential data, such as the accounting data for connecting to DBMS, access keys to cloud services, access keys to the API and passwords for connecting to services.
You can additionally note the Escape revealed 18458 built into the pages of keys and tokens, of which 41% are critical, i.e. Their loss leads to significant financial risks. For example, according to researchers, the amount of funds to which can access tokens to contact the API Stripe is about $ 20 million.
Among the confidential data identified on the pages of access to GitHub (51.5%), Gitlab, Stripe (0.9%), Openai (1.4%), AWS, Twitch (0.7%), Coinbase, X/Twitter are mentioned. , Slack (9.5%) and Discord (1.2%), as well as private RSA-keys (26.3%). 35% of the identified keys and tokens were present in JavaScript files. In 2.1% of cases, confidential data was present in the files obtained as a result of compilation of the JavaScript code in one file.
