Nissan suffers data leak via misconfigured Git server

The exposed data included source code of Nissan mobile apps and diagnostics tool

Nissan North America has been hit with a data leak after misconfiguring one of its Bitbucket Git servers.

Swiss software engineer and consultant Tillie Kottmann publicly disclosed the incident this week, after learning of it from an anonymous source. Kottmann analysed the exposed data and found that it included source code of Nissan mobile apps and diagnostics tool, among other assets.

Kottmann told ZDNet that the Git repository also contained the source code of Nissan's internal core mobile library, market research tools and data, Dealer Business Systems and Dealer Portal, client acquisition and retention tools, vehicle logistics portal, vehicle connected services and Nissan/Infiniti NCAR/ICAR services, as well as other internal tools.

According to Kottmann, the leak occurred after one of the Nissan's Git servers was left exposed online with a default username and password (admin/admin).

https://twitter.com/antiproprietary/status/1346238602536214528?ref\\_src=twsrc%5Etfw

The company took the exposed Git server offline earlier this week after its data began to emerge on Telegram and some hacking forums in the form of torrent links.

In a statement, Nissan confirmed the security incident, stating that that it was 'aware of a claim regarding a reported improper disclosure of Nissan's confidential information and source code.'

'We take this type of matter seriously and are conducting an investigation,' it added.

Misconfigured servers are a common source of data leaks. Nissan Canada suffered a similar data breach in 2017, while a misconfigured GitLab server in 2018 exposed the source code of various Mercedes Benz apps and tools.

In March last year, Virgin Media blamed a misconfigured marketing database for a 10-month long data breach that may have compromised the personal details of thousands of the company's current and former customers.

In September, researchers from tech services review firm Comparitech said that their research had shown that nearly six per cent of all Google Cloud buckets were vulnerable to unauthorised access due to misconfiguration issues.

The team looked for Alexa's top 100 web domains, in combination with some common words used by admins when naming their buckets. Through this web scan, they discovered 2,064 Google Cloud buckets in about 2.5 hours. After analysing the buckets, the researchers found that 131 of them were misconfigured and vulnerable to unauthorised access.

In January last year, security researchers at vpnMentor also discovered an unsecured database stored in an AWS S3 bucket, which contained information belonging to the HR departments of various British consultancy firms.