The collection is 20 GB large and includes source code of a range of Nissan services including NissanConnect.
Swiss software engineer Tillie Kottmann discovered that Nissan North America’s mobile app, market research tools, diagnostics tools, and data assets’ source code was leaked online. Here is what we know about the data leak so far.
Nissan Source Code Leaked:
Nissan’s source code was leaked because of a misconfigured Git server of the company. The company secures the server with the default access credentials (username and password) of admin/admin.
Reportedly, multiple code repositories of the company were exposed online. It isn’t yet clear whether Nissan learned about the leak itself or was it tipped by someone.
20 GB of Data Exposed
According to Kottmann, the exposed repository stored critical data assets of Nissan North America. The collection is 20 GB large and includes source code of a range of Nissan services including NissanConnect.
The researcher also posted a list of services impacted by the leak:
- Nissan NA Mobile apps
- Parts of the ASIST Diagnostic System software
- Dealer Business Systems/Dealer Portal
- Nissan internal core mobile library
- Nissan/Infiniti NCAR/ICAR services
- Client acquisition and retention tools
- Sale/market research tools and data
- Various marketing tools
- Vehicle logistics portal
- Vehicle connected services/Nissan connect things
- Various other backends and internal tools
The exposed data include the company’s mobile applications, some parts of Nissan’s ASIST diagnostics tool, Dealer Business Systems, its internal core mobile library, Dealer Portal, market research tools and data, Nissan/Infiniti NCAR/ICAR services, client acquisition and retention tools, vehicle connected services/NissanConnect, vehicle logistic portal, and many other internal tools and back ends.
Git Server Taken Offline
The Git server was taken offline on Thursday after threat actors started sharing it on Telegram and other hacking platforms. Nissan has acknowledged the exposure and an investigation is currently underway.
In a conversation with Hackread.com, Dotan Nahum, CTO, and Co-Founder of Spectral, a code security platform said that:
“Corporate software has seen a massive increase in adoption during the pandemic. However, the software does carry inherent risks with it, and those risks are multiplying. One of the reasons this kind of breach is likely to happen is due to the Shadow IT problem, this can occur when unknown Git servers exist in the organization outside an enforceable security policy.”
“This may sound like a rare occurrence but is very common with large and small organizations alike. It still remains to be seen, and I’m sure we will soon discover if Nissan has done a good job protecting their code from would-be attackers and have not exposed any additional info by including secrets, database passwords, certificates, and customer data in their Git repo code,” Dotan advised.
The company stated that it was “aware of a claim regarding a reported improper disclosure of Nissan’s confidential information and source code.” The company has reportedly launched an investigation. However, Kottmann states that the torrent link of the data has already been shared online, so regardless of Nissan’s efforts, it will still end up in the hands of unauthorized third parties.