Unsecured Git server exposed Nissan North America

Pierluigi Paganini January 08, 2021

A misconfigured Git server is the root cause for the leak of source code of mobile apps and internal tools belonging to Nissan North America.

A misconfigured Git server has caused the leak of the source code of mobile apps and internal software used by Nissan North America.

The situation is embarrassing because the software engineer Tillie Kottmann was informed by an anonymous source that the Git server was exposed online and accessible to anyone using the default login credentials admin/admin.

The news was first reported by ZDNet which was contacted by Kottmann.

https://twitter.com/antiproprietary/status/1346238588476915713
https://twitter.com/antiproprietary/status/1346238590536327175

The engineers analyzed the content of the repository and confirmed the presence of the source code for:

  • Nissan NA Mobile apps
  • some parts of the Nissan ASIST diagnostics tool
  • the Dealer Business Systems / Dealer Portal
  • Nissan internal core mobile library
  • Nissan/Infiniti NCAR/ICAR services
  • client acquisition and retention tools
  • sale / market research tools + data
  • various marketing tools
  • the vehicle logistics portal
  • vehicle connected services / Nissan connect things
  • and various other backends and internal tools

In a series of tweets, the researchers also provided insights related to the code such as the password handling routine implemented in the ASIST/NNA_MNS_PartsServices_IMS-ASISTUserAuthentication process.

https://twitter.com/antiproprietary/status/1346238597708578818

The car maker shut down the Git server after the public disclosure of the leak.

The leaked data are already circulating in the hacking underground, experts reported the availability of torrent links to the leaked material on hacking forums and Telegram channels.

A company spokesperson told ZDNet that the company launched an investigation into the incident and promptly secured the impacted server.

“Nissan conducted an immediate investigation regarding improper access to proprietary company source code. We take this matter seriously and are confident that no personal data from consumers, dealers or employees was accessible with this security incident.” states the spokesperson. “The affected system has been secured, and we are confident that there is no information in the exposed source code that would put consumers or their vehicles at risk.”

The researcher found a similar data leak in May 2020 that impacted Mercedes Benz.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, data leak)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment