A misconfigured cloud storage server belonging to automotive big BMW uncovered delicate firm info, together with non-public keys and inside information, TechCrunch has realized.
Can Yoleri, a safety researcher at menace intelligence firm SOCRadar, instructed TechCrunch that he found the uncovered BMW cloud storage server whereas routinely scanning the web.
Yoleri stated the uncovered Microsoft Azure–hosted storage server — often known as a “bucket” — in BMW’s improvement atmosphere was “unintentionally configured to be public as a substitute of personal on account of misconfiguration.”
Yoleri added that the storage bucket contained “script information that embody Azure container entry info, secret keys for accessing non-public bucket addresses, and particulars about different cloud companies.”
Screenshots shared with TechCrunch present that the uncovered information included non-public keys for BMW’s cloud companies in China, Europe, and the USA, in addition to login credentials for BMW’s manufacturing and improvement databases.
It’s not identified precisely how a lot information was uncovered or how lengthy the cloud bucket was uncovered to the web. “Sadly, that is the most important unknown in public bucket issues,” Yoleri instructed TechCrunch. “Solely the bucket proprietor can see how lengthy it has truly been open.”
When reached by electronic mail, BMW spokesperson Chris Total confirmed to TechCrunch that the information publicity affected a Microsoft Azure bucket primarily based in a storage improvement atmosphere and stated no buyer or private information was impacted in consequence.
The spokesperson added that “the BMW Group was capable of repair this problem at first of 2024, and we proceed to observe the state of affairs along with our companions.”
BMW wouldn’t say for the way lengthy the storage bucket was uncovered or whether or not it had noticed any malicious entry to the uncovered information. Yoleri stated that whereas he doesn’t have any proof of malicious entry, “that doesn’t imply it doesn’t exist.”
Yoleri instructed TechCrunch that whereas BMW made the bucket non-public after he reported his findings to the corporate, the corporate has not revoked or modified the units of passwords and credentials discovered inside the uncovered cloud bucket.
“Even when the bucket has been made non-public, it was needed to alter these entry keys. It doesn’t matter if the bucket is non-public anymore,” Yoleri stated. He added that he tried to succeed in out to BMW about this subsequent problem however didn’t obtain a response.
Final month, Mercedes-Benz confirmed it unintentionally uncovered a trove of inside information after leaving a non-public key on-line that allowed “unrestricted entry” to its supply code. After TechCrunch disclosed the safety problem to Mercedes, the carmaker stated it had “revoked the respective API token and eliminated the general public repository instantly.”
