[BreachExchange] Nissan source code leaked online after Git repo misconfiguration

Destry Winant destry at riskbasedsecurity.com
Thu Jan 7 10:40:04 EST 2021


https://www.zdnet.com/article/nissan-source-code-leaked-online-after-git-repo-misconfiguration/

The source code of mobile apps and internal tools developed and used
by Nissan North America has leaked online after the company
misconfigured one of its Git servers.

The leak originated from a Git server that was left exposed on the
internet with its default username and password combo of admin/admin,
Tillie Kottmann, a Swiss-based software engineer, told ZDNet in an
interview this week.

Kottmann, who learned of the leak from an anonymous source and
analyzed the Nissan data on Monday, said the Git repository contained
the source code of:

Nissan NA Mobile apps
some parts of the Nissan ASIST diagnostics tool
the Dealer Business Systems / Dealer Portal
Nissan internal core mobile library
Nissan/Infiniti NCAR/ICAR services
client acquisition and retention tools
sale / market research tools + data
various marketing tools
the vehicle logistics portal
vehicle connected services / Nissan connect things
and various other backends and internal tools

NISSAN IS INVESTIGATING THE LEAK

The Git server, a Bitbucket instance, was taken offline yesterday
after the data started circulating on Monday in the form of torrent
links shared on Telegram channels and hacking forums.

Reached out for comment, a Nissan spokesperson confirmed the incident.

"We are aware of a claim regarding a reported improper disclosure of
Nissan's confidential information and source code. We take this type
of matter seriously and are conducting an investigation," the Nissan
rep told ZDNet in an email.

The Swiss researchers received a tip about Nissan's Git server after
they found a similarly misconfigured GitLab server in May 2020 that
leaked the source code of various Mercedes Benz apps and tools.

Mercedes eventually admitted to the leak, and Kottmann, who was
hosting the leaked data, also removed it from their server at the
company's request.


More information about the BreachExchange mailing list