You’d normally expect a company the size of Nissan to have super-advanced security in place to protect its assets, but a software engineer discovered this week this isn’t really the case.
The North American unit belonging to the Japanese carmaker was using a Bitbucket Git server “secured” with the default login credentials (username: admin, password: admin), thus exposing the source code of mobile apps, the internal core mobile library, sales and marketing research tools and data, client services, the dealer portal, and even tools related to connected car services.
The source code was discovered by software engineer Tillie Kottmann, who took to Twitter to reveal the embarrassing security configuration, with the data eventually being offered as part of a torrent link on various trackers. The pack contained close to 20 GB of data originating from Nissan’s Git server.
Nissan quickly addressed the incident, with the company explaining in a statement that no sensitive information of employees or consumers was exposed in the leak.
“Nissan conducted an immediate investigation regarding improper access to proprietary company source code,” the company said. “We take this matter seriously and are confident that no personal data from consumers, dealers or employees was accessible with this security incident. The affected system has been secured, and we are confident that there is no information in the exposed source code that would put consumers or their vehicles at risk.”
The data, however, continues to be available on torrent sites and several hacking forums.
Using “admin” as the username and password for a Git server hosting so important information is certainly a major error on Nissan’s side, and security experts once again emphasize the importance of multiple security layers to protect critical code.
“Nissan's breach not only demonstrates how easy it is to inadvertently leak source code, but also the importance of building security in layers. For example, if Nissan had enforced strong authentication policies, such as multifactor authentication, federated SSO via SAML, or restricted access to specific IP addresses, the default admin credentials would not have worked on their own and the incident likely would have been avoided,” Ronen Slavin, co-founder and CTO of Israeli Source Code Control, Detection, and Response solution startup Cycode, told autoevolution.
Nissan emphasizes the leaked code does not expose consumers or their vehicles.
The source code was discovered by software engineer Tillie Kottmann, who took to Twitter to reveal the embarrassing security configuration, with the data eventually being offered as part of a torrent link on various trackers. The pack contained close to 20 GB of data originating from Nissan’s Git server.
Nissan quickly addressed the incident, with the company explaining in a statement that no sensitive information of employees or consumers was exposed in the leak.
“Nissan conducted an immediate investigation regarding improper access to proprietary company source code,” the company said. “We take this matter seriously and are confident that no personal data from consumers, dealers or employees was accessible with this security incident. The affected system has been secured, and we are confident that there is no information in the exposed source code that would put consumers or their vehicles at risk.”
The data, however, continues to be available on torrent sites and several hacking forums.
Using “admin” as the username and password for a Git server hosting so important information is certainly a major error on Nissan’s side, and security experts once again emphasize the importance of multiple security layers to protect critical code.
“Nissan's breach not only demonstrates how easy it is to inadvertently leak source code, but also the importance of building security in layers. For example, if Nissan had enforced strong authentication policies, such as multifactor authentication, federated SSO via SAML, or restricted access to specific IP addresses, the default admin credentials would not have worked on their own and the incident likely would have been avoided,” Ronen Slavin, co-founder and CTO of Israeli Source Code Control, Detection, and Response solution startup Cycode, told autoevolution.
Nissan emphasizes the leaked code does not expose consumers or their vehicles.