Security News > 2024 > January > A mishandled GitHub token exposed Mercedes-Benz source code
A mishandled GitHub token gave unrestricted access to Mercedes-Benz's internal GitHub Enterprise Service, exposing source code to the public.
On September 29, 2023, researchers at RedHunt Labs discovered a GitHub token in a public repository belonging to a Mercedez employee that gave access to the company's internal GitHub Enterprise Server.
"The GitHub token gave 'unrestricted' and 'unmonitored' access to the entire source code hosted at the Internal GitHub Enterprise Server," reads RedHunt Labs' report.
This incident resembles a Toyota security mishap from October 2022, when the Japanese automaker revealed that personal customer information remained publicly accessible for five years due to an exposed GitHub access key.
We can confirm that source code containing an internal access token was published on a public GitHub repository by human error.
This token gave access to a certain number of repositories, but not to the entire source code hosted at the Internal GitHub Enterprise Server.