Abstract
Companies use software development frameworks to ease the process of storing, tracking, and collaborating on software projects and keeping track of the software development cycle easily. Some companies develop their own proprietary framework, whereas some implement open-source or third-party frameworks in both these matters, companies need to establish their own protocols and have to configure all the necessary security measures by themselves. Failing to do so may result in unforeseeable security breaches and data compromises. A similar thing happened with Mercedez as one of their employees’ GitHub token was discovered during a simple internet search, this token had ‘unrestricted’ and ‘unmonitored’ access to the entire source code hosted at the Internal GitHub Enterprise Server. This discovery was made on September 29, 2023, but Mercedez was unaware of it till January 9, 2024, since its discovery they swiftly revoked the token and made it obsolete.
Incident
This incident violates the fundamental principles of the CIA triad, compromising the confidentiality, integrity, and availability of the GitHub Enterprise server. This incident compromised the confidentiality aspect as the code, and everything on the server is not open source and is proprietary that is its rights fully belong to Mercedez and no one else. It also affects the integrity and availability as the threat actor can easily manipulate the files stored on the server and if they decide to delete all the files from the server it will affect the whole operation of the company and will completely shut down all the operations of Mercedez for an undefined time.
Recomendations
Such threat vectors are often the result of security unawareness. To mitigate these risks, companies can take several steps, including educating employees on security, providing frequent security training, adopting CLI best practices, implementing zero trust, mandating multi-factor authentication, creating internal policies, and investing in data loss prevention (DLP) software.
Reference
https://cybernews.com/news/mercedes-github-token-data-leak/
https://www.reversinglabs.com/blog/lessons-from-the-mercedes-benz-github-source-code-leak
https://www.securityweek.com/leaked-github-token-exposed-mercedes-source-code/amp/