[ad_1]
A misconfigured cloud storage server belonging to automotive giant BMW has exposed sensitive company information, including private keys and internal data, TechCrunch has learned.
Ken Yollery, a security researcher at threat intelligence company SOCRadar, told TechCrunch that he discovered the exposed BMW cloud storage server while performing a routine Internet scan.
Yollery said the exposed Microsoft Azure-hosted storage servers in BMW’s development environment – also known as “buckets” – “were accidentally configured to be public instead of private due to a misconfiguration.”
Yoleri said the storage bucket “contains script files that contain Azure container access information, secret keys to access private bucket addresses, and details about other cloud services.”
Screenshots shared with TechCrunch show that the exposed data includes private keys to BMW’s cloud services in China, Europe, and the United States, as well as login credentials for BMW’s production and development databases.
It is not known exactly how much data was exposed or how long the cloud bucket was exposed to the Internet. “Unfortunately, this is the biggest unknown in the public bucket problems,” Yollery told TechCrunch. “Only the owner of the bucket can see how long it has actually been open.”
When reached by email, BMW spokesperson Chris Overall confirmed to TechCrunch that the data exposure affected a Microsoft Azure bucket located in a storage development environment and said that no customer or personal data was affected as a result.
The spokesperson said that “BMW Group was able to fix the issue by early 2024, and we continue to monitor the situation closely with our partners.”
BMW would not say how long the storage bucket was open or whether it observed any malicious access to the exposed data. Yollery said that although he has no evidence of malicious access, “that doesn’t mean it doesn’t exist.”
Yollery told TechCrunch that BMW made the bucket private after the company was informed of its findings, but the company has not revoked or changed the set of passwords and credentials found within the exposed cloud bucket.
“Even though the bucket was made private, it was necessary to change these access keys. It doesn’t matter that the bucket is now private,” Yollery said. He said he tried to reach out to BMW about this latter issue but did not receive a response.
last month, Mercedes-Benz confirms it has accidentally exposed a trove of internal data After releasing a private key online that allowed “unrestricted access” to its source code. After TechCrunch disclosed the security issue to Mercedes, the carmaker said it had “revoked the associated API tokens and immediately removed them from the public repository.”
[ad_2]
Thanks For Reading