The source code of mobile apps and internal tools developed and used by Nissan North America has leaked online after the company misconfigured one of its Git servers.
The leak originated from a Git server that was left exposed on the internet with its default username and password combo of admin/admin.
Swiss software engineer Tillie Kottmann, who found the leak from an anonymous source and analyzed the Nissan data, said the Git repository contained the source code of:
The Git server was taken offline after threat actors started sharing it on Telegram and other hacking platforms. Nissan has acknowledged the exposure and an investigation is currently underway. Nissan Response: “Nissan conducted an immediate investigation regarding improper access to proprietary company source code.
We take this matter seriously and are confident that no personal data from consumers, dealers or employees was accessible with this security incident. The affected system has been secured, and we are confident that there is no information in the exposed source code that would put consumers or their vehicles at risk”
Source code from exposed repositories of dozens of companies across various fields of activity (tech, finance, retail, food, eCommerce, manufacturing) is publicly available as a result of misconfigurations in their infrastructure.
A public repository of leaked code includes big names like Microsoft, Adobe, Lenovo, AMD, Qualcomm, Motorola, Mediatek, GE Appliances, Nintendo, Roblox, Disney and the list keeps growing.
Mistakes like misconfiguration and accidental credential exposure will happen in the development process, which is where InfoSec teams need to step in. Auditing infrastructure code both prior to deployment and continuously in production is essential for companies practicing DevOps and CI/CD. Doing the following can help you :
The speed of DevOps is allowing companies to innovate quickly, but without security audits built into the pipeline, misconfigurations and vulnerable code can go unnoticed and expose data in a breach.
We strongly encourage the movement from DevOps to DevSecOps, building this audit process into the standard practice of application development.
For over 20 years, Sumeru is helping businesses to prevent breaches, simulate attacks, monitor security, stay compliant and get secured with 40+ security offerings. Reach out to us to know more [email protected] and explore our website inservice.sumeru.com.