This hacker used search dork on GitLab to access Mercedes-Benz Repository and leaked onboard logic unit (OLU) source code online
Just yesterday, we detailed how a security researcher, Tillson Galloway was able to make $10,000 from bug bounties by using a GitHub dork search tool. It seems like another security researcher used a similar process on GitLab to access the Mercedes-Benz repository and steal the Onboard Logic Unit source code. The hacker then proceeded to leak the entire source code online.
The leak was done by Till Kottmann, a Swiss-based software engineer. Kottmann discovered a Git web portal belonging to Daimler AG, the German automotive company behind the Mercedes-Benz car brand. He found he could easily register on Daimler’s code-hosting portal without using Daimler’s corporate email id.
Kottman downloaded more than 580 Git repositories hosted on the Daimler AG’s GitLab repository containing the source code of onboard logic units (OLUs) installed in Mercedez vans.
Mercedes-Benz Onboard Logic Unit
Onboard Logic Unit (OLU) is the most critical part of any vehicle. The Mercedes-Benz OLU is the onboard computer that connects to the servers. According to the Daimler website, OLU “simplifies technical access and the management of live vehicle data” and allows third-party developers to create apps that retrieve data from Mercedes vans. An OLU can be used to track a vehicle or freeze the car in case of theft. It can also provide internal engine diagnostics to the car owner.
Kottmann told ZDNet that accessing and downloading the OLU source code from GitLab was easy using the search dorks. GitLab is a repository like GitHub and allows collaborative work on Git repositories.
I often just hunt for interesting GitLab instances, mostly with just simple Google dorks, when I’m bored, and I keep being amazed by how little thought seems to go into the security settings
Kottmann to ZDNet.
Daimler didn’t have any whitelist policy for email registration and allowed anybody to register on the GitLab server. Once he registered, using the search dorks, he was able to locate the source code for Mercedes-Benz OLU. Kottmann downloaded more than 580 Git repositories which he leaked online to file-hosting service MEGA, the Internet Archive, and on his own GitLab server.
The leaked projects included the source code of Mercedes vans OLU components, but also Raspberry Pi images, server images, internal Daimler components for managing remote OLUs, internal documentation, code samples, and more.
ZDNet reached out to Daimler AG for its comments. The company took down the GitLab repository that hosted the source code. Kottman says he will delete the leaked codes if Daimler reaches out to him. While finding the vulnerabilities in GitLab access are all very good, leaking codes online without informing the company is not responsible disclosure. ZDNet says that since the GitLab server allowed anyone to register an account, which some could interpret as being an open system.
However, it remains a question of ethics and responsible, ethical hacking.