How to Avoid Source Code Breaches: Lessons From the Mercedes-Benz GitHub Token Leak

By Omar Yang (Senior Threat Researcher, Automotive) and Paul Pajares (Senior Threat Researcher, Automotive)

Mercedes-Benz recently confirmed that one of its GitHub tokens, as first reported by RedHunt Labs, was leaked. The incident traces back to Sept. 29, 2023, when one of the automaker’s employees mistakenly uploaded a security token to a public repository.

This security token essentially acted as a master key, granting the holder full ownership rights over the associated GitHub account, including access to private GitHub repositories. Within one of these private repositories, another token was discovered, providing access to Mercedes-Benz’s GitHub Enterprise account, where more critical credentials were stored. Unfortunately, these credentials were not adequately secured, making them accessible from the internet as well as within the company’s internal network.

Figure 1. A timeline of events concerning the Mercedes-Benz GitHub token leak

In a response to BleepingComputer, Mercedes-Benz said it had already revoked the token and immediately removed the public repository, adding that no customer data was affected, based on its analysis.

A series of unfortunate yet avoidable events

Mercedez-Benz’s recent leak underscores the critical need for stringent security protocols in managing code infrastructure and sensitive data, as access tokens and credentials, when mishandled, can compromise entire digital ecosystems.

Figure 2. The potential attack chain in Mercedes-Benz’s source code leak: from public to private GitHub, and to GitHub Enterprise

A lot can be learned from this breach. For one thing, it certainly did not happen in a vacuum but rather unfolded amid a series of security oversights. This chain of security gaps highlights the importance of diligent security practices at each step of handling sensitive information.

1. Had the initial GitHub token not been uploaded to a public repository, the subsequent discovery of the token stored within a private repository would have been highly unlikely. This initial lapse set the stage for further security breaches.
2. Similarly, if the token within the private repository had not been uploaded, unauthorized access to Mercedes-Benz’s internal GitHub Enterprise account would have been significantly less feasible. This demonstrates the cascading nature of security vulnerabilities.
3. Furthermore, had the token mentioned in point 2 been configured with appropriately restricted privileges, its potential to compromise the internal GitHub Enterprise code infrastructure would have been minimized. This indicates the importance of the principle of least privilege in mitigating the impact of any unauthorized access.
4. Lastly, if the database connection strings, cloud service keys such as AWS or Azure keys, and API keys had not been stored within the internal code infrastructure, the extent of the data breach could have been limited primarily to the source code and other, less sensitive information. Including these critical access credentials within the codebase significantly expanded the potential scope of the data breach.

How GitHub tokens can be leaked

It’s imperative to secure and prevent GitHub tokens from leaking to ensure the security of repositories containing source codes, SQL statements, and other sensitive data, including blueprints and customer information. This is especially true given that GitHub tokens can be leaked in numerous ways, including through the following:

• Hard-coded credentials. Developers sometimes embed API keys directly within their source code for convenience. However, this practice can lead to token exposure if the code becomes public or is shared, evoking the importance of securing passwords through salt hashing to prevent plain-text visibility.
• Commit history. During regular development, it’s possible for developers to inadvertently include sensitive information like tokens or API keys in their commit history. Should the repository be public, these commits can be traced, revealing the sensitive data. It’s critical to scrutinize commit logs and debug information to prevent such leaks.
• Sensitive configuration files. Configuration files play a key role in system and application access. Mishandling these files and accidentally sharing them in public repositories can lead to token or API key exposure.
• Third-party integration errors. Software development often requires third-party integrations, which necessitate authentication. Improper handling of these integrations can lead to misuse or abuse of exposed credentials.
• Exposed environment variables. Developers commonly use environment variables to store sensitive information outside the program within the operating system. If these variables are improperly managed, they can reveal sensitive data when the source code or scripts are shared.
• Cyberattacks. In the event of a cyberattack, attackers typically search for valuable data, including files that contain GitHub tokens. It’s vital to vigilantly monitor and secure development environments to mitigate the risk of such breaches.

Best practices for securing GitHub tokens

As we’ve noted in VicOne’s automotive cybersecurity predictions and recommendations for 2024, data leaks, whether accidental or deliberate, will persist. Mitigating the risk of insider threats calls for enhanced internal security protocols, regular audits, and employee training. Building upon these recommended mitigations, here are some best practices for securing GitHub tokens: 

• Secure secret/credential management. Employ secure storage solutions, use environment variables, or leverage GitHub Secrets to safeguard tokens and API keys. GitHub Actions, for instance, builds and tests every pull request submitted to a repository or deploys merged pull requests to production environments. In such workflows, environment variables are indispensable for securing sensitive information.
• Code review practices. Rigorously review code prior to committing changes to detect and remove any sensitive information. This proactive measure is crucial in preventing potential leaks.
• Privileged access management (PAM) systems/Hardware security modules (HSMs). Secure GitHub tokens using privileged access management (PAM) systems designed to monitor, detect, and prevent unauthorized access to critical assets. Implement secure storage in a vault to tightly control access to tokens, passwords, certificates, API keys, and other essential credentials. Use hardware security modules (HSMs) for enhanced security for storing cryptographic keys used in vital operations like encryption, decryption, and authentication, thereby ensuring robust authentication mechanisms.
• Exclude sensitive files. Utilize the .gitignore file or configure Git to ignore and exclude sensitive files and configurations from being tracked. This step ensures that such files remain untracked and outside the version control system.
• Routine security audits. Conduct regular audits of repositories to identify and rectify any sensitive information or misconfigurations that might have been unintentionally committed. Prompt action to revert such commits can significantly reduce security risks.
• Foster security awareness. Recognize that human error often represents a significant vulnerability in security practices. Cultivate a strong security culture within the development team and emphasize careful handling of sensitive information to minimize the risk of data leaks. 

Assessing the leak’s far-reaching impacts

The incident in question not only compromised Mercedes-Benz’s internal code infrastructure but also extended to employees’ private GitHub repositories and linked cloud services or databases. The fallout from such a breach can be widespread and severe, encompassing the leakage of intellectual property (including code and documents), financial losses, potential leaks of personal data that could result in legal repercussions, and significant reputational damage. 

While the breach primarily presents itself as an IT security issue, VicOne’s analysis reveals a concerning aspect of credential leakage: the potential to compromise physical safety. During a demonstration at the inaugural edition of Pwn2Own Automotive, held in late January in Tokyo, Japan, VicOne researchers used compromised account credentials to remotely attack a vehicle located halfway across the world. This attack scenario highlights the broad spectrum of risks associated with security lapses in digital infrastructure, and emphasizes that the implications can extend far beyond the digital realm and have tangible effects on physical security. Incidents such as this serve as a stark reminder of the utmost importance of securing digital assets like GitHub tokens and of other stringent security measures and protocols to protect not only digital assets but also the physical well-being of individuals connected to or otherwise engaged with the affected systems. 

To read more research on other possible vulnerabilities in connected vehicles and learn best security practices, visit our resource center.