A misconfigured Git server is the root cause for the leak of source code of mobile apps and internal tools belonging to Nissan North America.

A misconfigured Git server has caused the leak of the source code of mobile apps and internal software used by Nissan North America.

The situation is embarrassing because the software engineer Tillie Kottmann was informed by an anonymous source that the Git server was exposed online and accessible to anyone using the default login credentials admin/admin.

The news was first reported by ZDNet which was contacted by Kottmann.

RELEASE: Nissan North America Source Code DumpA COMPLETE dump of all git repositories from Nissan NA, most notably including sources for:– the Nissan NA Mobile apps– some parts of the ASIST diagnostics tool– the Dealer Business Systems / Dealer Portal(1/n) pic.twitter.com/ltDvg9blTB— tillie, doer of crime (@antiproprietary) January 4, 2021
– Nissan internal core mobile library– Nissan/Infiniti NCAR/ICAR services– client acquisition and retention tools– sale / market research tools + data– various marketing tools– the vehicle logistics portal(2/n)— tillie, doer of crime (@antiproprietary) January 4, 2021The engineers analyzed the content of the repository and confirmed the presence of the source code for:

Nissan NA Mobile appssome parts of the Nissan ASIST diagnostics toolthe Dealer Business Systems / Dealer PortalNissan internal core mobile libraryNissan/Infiniti NCAR/ICAR servicesclient acquisition and retention toolssale / market research tools + datavarious marketing toolsthe vehicle logistics portalvehicle connected services / Nissan connect thingsand various other backends and internal toolsIn a series of tweets, the researchers also provided insights related to the code such as the password handling routine implemented in the ASIST/NNA_MNS_PartsServices_IMS-ASISTUserAuthentication process.

If you look at ASIST/NNA_MNS_PartsServices_IMS-ASISTUserAuthentication, you can see that this is how password handling in ASIST works.oh no.(5/n) pic.twitter.com/qM1GqMq6FL— tillie, doer of crime (@antiproprietary) January 4, 2021The car maker shut down the Git server after the public disclosure of the leak.

The leaked data are already circulating in the hacking underground, experts reported the availability of torrent links to the leaked material on hacking forums and Telegram channels.

A company spokesperson told ZDNet that the company launched an investigation into the incident and promptly secured the impacted server.

“Nissan conducted an immediate investigation regarding improper access to proprietary company source code. We take this matter seriously and are confident that no personal data from consumers, dealers or employees was accessible with this security incident.” states the spokesperson. “The affected system has been secured, and we are confident that there is no information in the exposed source code that would put consumers or their vehicles at risk.”

The researcher found a similar data leak in May 2020 that impacted Mercedes Benz.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

try {
window._mNHandle.queue.push(function (){
window._mNDetails.loadTag(“816788371”, “300×250”, “816788371”);
});
}
catch (error) {}

try {
window._mNHandle.queue.push(function (){
window._mNDetails.loadTag(“816788371”, “300×250”, “816788371”);
});
}
catch (error) {}
Pierluigi Paganini

(SecurityAffairs – hacking, data leak)

The post Unsecured Git server exposed Nissan North America appeared first on Security Affairs.