Security breach at BMW revealed sensitive company information, researcher says

[ad_1]

A misconfigured cloud storage server belonging to automotive giant BMW exposed sensitive company information, including private keys and internal data, TechCrunch has learned.

Can Yoleri, a security researcher at threat intelligence firm SOCRadar, told TechCrunch that he discovered the exposed BMW cloud storage server during a regular scan of the Internet.

Yoleri said the Microsoft Azure-hosted storage server – also known as a “bucket” – in BMW’s development environment was “accidentally configured to be public instead of private due to misconfiguration “.

Yoleri added that the storage bucket contained “script files that include access information to the Azure container, secret keys to access private bucket addresses, and details about other cloud services.”

Screenshots shared with TechCrunch show that the exposed data included private keys for BMW’s cloud services in China, Europe and the United States, as well as login information for production and development databases from BMW.

It is unclear how much data was exposed or how long the cloud bucket was exposed to the internet. “Unfortunately, this is the biggest unknown in public compartment issues,” Yoleri told TechCrunch. “Only the owner of the bucket can see how long it has actually been open. »

When contacted by email, BMW spokesperson Chris Global confirmed to TechCrunch that the data exposure affected a Microsoft Azure bucket based in a storage development environment and said that no customer or personal data had not been affected.

The spokesperson added that “the BMW Group managed to resolve this issue in early 2024 and we continue to monitor the situation with our partners.”

BMW did not say how long the storage compartment was exposed or whether it observed malicious access to the exposed data. Yoleri said that while he had no evidence of malicious access, “that doesn’t mean it doesn’t exist.”

Yoleri told TechCrunch that even though BMW made the bucket private after reporting its findings to the company, the company did not revoke or change the sets of passwords and credentials found in the bucket exposed cloud.

“Even though the bucket was made private, these access keys had to be changed. It doesn’t matter anymore if the bucket is private,” Yoleri said. He added that he attempted to contact BMW about this subsequent issue, but did not receive a response.

Last month, Mercedes-Benz confirmed it accidentally exposed a trove of internal data after leaving a private key online allowing “unlimited access” to its source code. After TechCrunch revealed the security issue to Mercedes, the automaker said it had “revoked the respective API token and removed the public repository immediately.”

[ad_2]

Leave a Comment

Your email address will not be published. Required fields are marked *