Nissan Source Code Leaked via Misconfigured Git Server

What happened?

The source code of mobile apps and internal tools developed and used by Nissan North America has leaked online after the company misconfigured one of its Git servers.

The leak originated from a Git server that was left exposed on the internet with its default username and password combo of admin/admin.

What got leaked?

Swiss software engineer Tillie Kottmann, who found the leak from an anonymous source and analyzed the Nissan data, said the Git repository contained the source code of:

  • Nissan NA Mobile apps
  • Some parts of the Nissan ASIST diagnostics tool
  • The Dealer Business Systems / Dealer Portal
  • Nissan internal core mobile library
  • Nissan/Infiniti NCAR/ICAR services
  • Client acquisition and retention tools
  • Sale / market research tools + data
  • Various marketing tools
  • The vehicle logistics portal
  • Vehicle connected services / Nissan connect things
  • And various other backends and internal tools

Nissan is investigating the leak

The Git server was taken offline after threat actors started sharing it on Telegram and other hacking platforms. Nissan has acknowledged the exposure and an investigation is currently underway. Nissan Response: “Nissan conducted an immediate investigation regarding improper access to proprietary company source code.

We take this matter seriously and are confident that no personal data from consumers, dealers or employees was accessible with this security incident. The affected system has been secured, and we are confident that there is no information in the exposed source code that would put consumers or their vehicles at risk”

Source code from dozens of companies leaked online

Source code from exposed repositories of dozens of companies across various fields of activity (tech, finance, retail, food, eCommerce, manufacturing) is publicly available as a result of misconfigurations in their infrastructure.

A public repository of leaked code includes big names like Microsoft, Adobe, Lenovo, AMD, Qualcomm, Motorola, Mediatek, GE Appliances, Nintendo, Roblox, Disney and the list keeps growing.

How to iron out such false steps? 

Mistakes like misconfiguration and accidental credential exposure will happen in the development process, which is where InfoSec teams need to step in. Auditing infrastructure code both prior to deployment and continuously in production is essential for companies practicing DevOps and CI/CD. Doing the following can help you :

  • Scan application code for vulnerabilities
  • Scan repositories for Hard-Coded Credentials and Secret Keys
  • Plugging security into DevOps by implementing DevSecOps

Shift security to left

The speed of DevOps is allowing companies to innovate quickly, but without security audits built into the pipeline, misconfigurations and vulnerable code can go unnoticed and expose data in a breach.

We strongly encourage the movement from DevOps to DevSecOps, building this audit process into the standard practice of application development.

Get secured with Sumeru

For over 20 years, Sumeru is helping businesses to prevent breaches, simulate attacks, monitor security, stay compliant and get secured with 40+ security offerings. Reach out to us to know more hello@sumerusolutions.com and explore our website inservice.sumeru.com.