Hackers have been enjoying their fair share of the spotlight by breaching car manufacturers’ defenses. The latest Cybernews discovery showcases that popular car brands sometimes leave their doors open, as if inviting threat actors to feast on their client data.
BMW exposed sensitive files to the public
Attackers could exploit the data to steal the website’s source code and potentially access customer info
BMW secured the data that wasn’t meant to be public in the first place
BMW clients should remain vigilant, as home addresses, vehicle location data, and many other kinds of sensitive personal information are collected by the manufacturer
BMW, a German multinational manufacturer of luxury vehicles delivering around 2.5 million vehicles a year, potentially exposed its business secrets and client data.
If a malicious hacker were to discover the flaw, they could exploit it to access customer data, steal the company’s source code, and look for other vulnerabilities to exploit.
In February, Cybernews researchers stumbled upon an unprotected environment (.env) and .git configuration files hosted on the official BMW Italy website. Environment files (.env), meant to be stored locally, included data on production and development environments.
Researchers noted that while this information is not enough for threat actors to compromise the website, they could be used for reconnaissance – covertly discovering and collecting information about a system. Data could lead to the website being compromised or point attackers towards customer information storage and the means to access it.
The .git configuration file, exposed to the public, would have allowed threat actors to find other exploitable vulnerabilities, since it contained the .git repository for the site’s source code.
“The discovery illustrates that even well-known and trusted brands can have severely insecure configurations, allowing attackers to breach their systems in order to steal customer information or move laterally through the network. Customer information from such sources is especially valuable for cybercriminals, given that customers of luxury car brands often have more savings that could potentially be stolen,” the Cybernews research team said.
Sensitive files were generated by a framework that BMW Italy relies on – Laravel, a free open-source PHP framework designed for the development of web applications.
In 2017, a vulnerability was discovered in the aforementioned framework. It scored 7.5 out of 10 on the the Common Vulnerability Scoring System (CVSS), since attackers can obtain sensitive information such as externally usable passwords by exploiting the flaw. The company might have either used a vulnerable Laravel version or it might have been misconfigured by mistake by someone using an up-to-date version.
You must log in to post a comment.Thanks for submitting your comment!