A misconfigured cloud storage server belonging to auto large BMW uncovered delicate firm data, together with personal keys and inside knowledge, TechCrunch has discovered.
Can Yoleri, a safety researcher at menace intelligence agency SOCRadar, advised TechCrunch that he found the uncovered BMW cloud storage server whereas routinely scanning the web.
The uncovered Microsoft Azure hosted storage server — also called “Bucket” — in BMW’s growth surroundings “was mistakenly configured to be public as a substitute of personal resulting from misconfiguration,” Euleri stated.
The storage pool incorporates “textual content information that embody Azure bucket entry data, secret keys to entry the personal pool addresses, and particulars about different cloud companies,” Euleri added.
Screenshots shared with TechCrunch present that the uncovered knowledge included personal keys for BMW’s cloud companies in China, Europe and the US, in addition to login credentials for BMW’s personal manufacturing and growth databases.
It isn’t recognized precisely how a lot knowledge was uncovered or how lengthy the cloud was uncovered to the Web. “Sadly, that is the most important unknown normally bucket issues,” Euleri advised TechCrunch. “Solely the proprietor of the bucket can understand how lengthy it has truly been open.”
When reached through e-mail, BMW spokesperson Chris Total confirmed to TechCrunch that the information publicity affected a Microsoft Azure cluster primarily based on the storage growth surroundings, and stated that no buyer or private knowledge was affected consequently.
The spokesman added, “The BMW Group was capable of resolve this challenge initially of 2024, and we proceed to watch the scenario with our companions.”
BMW didn’t say how lengthy the storage pool was uncovered or whether or not it noticed any malicious entry to the uncovered knowledge. Though there isn’t a proof of malicious entry, “that does not imply it would not exist,” Eulery stated.
Euleri advised TechCrunch that though BMW made the group personal after reporting its findings to the corporate, the corporate didn’t revoke or change the password and credential combos contained inside the uncovered cloud group.
“Even when the bucket was made personal, it was obligatory to alter these entry keys. It would not matter if the bucket is personal anymore,” Yuleri stated, including that he tried to contact BMW about this subsequent challenge however obtained no response.
Final month, Mercedes-Benz confirmed that it had mistakenly uncovered a trove of inside knowledge after leaving a non-public key on-line that allowed “unrestricted entry” to its supply code. After TechCrunch revealed the safety challenge to Mercedes, the automaker stated it “instantly eliminated its API code and eliminated the general public repository.”