Cybernews
researchers
discovered
that
BMW
exposed
sensitive
files
that
were
generated
by
a
framework
that
BMW
Italy
relies
on.
Original
post
at:
https://cybernews.com/security/bmw-exposes-italy-clients/
Hackers
have
been
enjoying
their
fair
share
of
the
spotlight
by
breaching
car
manufacturers’
defenses.
The
latest
Cybernews
discovery
showcases
that
popular
car
brands
sometimes
leave
their
doors
open,
as
if
inviting
threat
actors
to
feast
on
their
client
data.
-
BMW
exposed
sensitive
files
to
the
public -
Attackers
could
exploit
the
data
to
steal
the
website’s
source
code
and
potentially
access
customer
info -
BMW
secured
the
data
that
wasn’t
meant
to
be
public
in
the
first
place -
BMW
clients
should
remain
vigilant,
as
home
addresses,
vehicle
location
data,
and
many
other
kinds
of
sensitive
personal
information
are
collected
by
the
manufacturer
BMW,
a
German
multinational
manufacturer
of
luxury
vehicles
delivering
around
2.5
million
vehicles
a
year,
potentially
exposed
its
business
secrets
and
client
data.
If
a
malicious
hacker
were
to
discover
the
flaw,
they
could
exploit
it
to
access
customer
data,
steal
the
company’s
source
code,
and
look
for
other
vulnerabilities
to
exploit.
The
discovery
In
February,
Cybernews
researchers
stumbled
upon
an
unprotected
environment
(.env)
and
.git
configuration
files
hosted
on
the
official
BMW
Italy
website.
Environment
files
(.env),
meant
to
be
stored
locally,
included
data
on
production
and
development
environments.
Researchers
noted
that
while
this
information
is
not
enough
for
threat
actors
to
compromise
the
website,
they
could
be
used
for
reconnaissance
–
covertly
discovering
and
collecting
information
about
a
system.
Data
could
lead
to
the
website
being
compromised
or
point
attackers
towards
customer
information
storage
and
the
means
to
access
it.
The
.git
configuration
file,
exposed
to
the
public,
would
have
allowed
threat
actors
to
find
other
exploitable
vulnerabilities,
since
it
contained
the
.git
repository
for
the
site’s
source
code.
“The
discovery
illustrates
that
even
well-known
and
trusted
brands
can
have
severely
insecure
configurations,
allowing
attackers
to
breach
their
systems
in
order
to
steal
customer
information
or
move
laterally
through
the
network.
Customer
information
from
such
sources
is
especially
valuable
for
cybercriminals,
given
that
customers
of
luxury
car
brands
often
have
more
savings
that
could
potentially
be
stolen,”
the
Cybernews
research
team
said.
Sensitive
files
were
generated
by
a
framework
that
BMW
Italy
relies
on
–
Laravel,
a
free
open-source
PHP
framework
designed
for
the
development
of
web
applications.
In
2017,
a
vulnerability
was
discovered
in
the
aforementioned
framework.
It
scored
7.5
out
of
10
on
the
the
Common
Vulnerability
Scoring
System
(CVSS),
since
attackers
can
obtain
sensitive
information
such
as
externally
usable
passwords
by
exploiting
the
flaw.
The
company
might
have
either
used
a
vulnerable
Laravel
version
or
it
might
have
been
misconfigured
by
mistake
by
someone
using
an
up-to-date
version.
Recommendations
for
BMW
-
Reset
the
GitLab
CI
token
to
avoid
.git
repository
cloning
and
exploitation
of
other
potential
vulnerabilities
within
the
website -
Reset
credentials
of
MySQL
and
PostgreSQL
databases,
change
ports
and
IP
of
the
host
to
avoid
sensitive
data
leakage -
Change
the
ports
used
by
the
administrative
portals
to
listen
to
incoming
connections
to
avoid
the
exposure
of
the
internal
tools
and
a
potential
tip-off
of
hackers
on
what
attacks
to
launch
What
BMW
knows
about
you
-
As
per
BMW
Italy’s
website,
they
collect
a
treasure
trove
of
user
information,
including
full
names,
addresses,
phone
numbers,
and
email
addresses -
BMW
also
knows
what
vehicle
you
own,
has
contract
details,
and
your
online
account’s
data
that
could
be
used
for
phishing
and/or
credential-stuffing
attacks -
BMW
knows
technical
information
about
your
vehicle,and
the
location
of
your
phone
if
it
has
BMW
or
Mini
connected
apps
installed.
This
information
could
even
lead
to
the
theft
of
your
vehicle,
since
the
attacker
could
figure
out
if
you
are
inside
your
car
or
far
away
from
it -
Since
the
data
was
secured
by
the
manufacturer,
there’s
no
need
to
worry.
However,
we
recommend
you
stay
vigilant
at
all
times,
cautiously
reviewing
any
suspicious
emails
and
monitoring
your
banking
information
If
you
want
to
know
more
about
car
hacking
and
which
are
the
mistakes
made
by
car
makers
give
a
look
at
the
original
post
at
https://cybernews.com/security/bmw-exposes-italy-clients/
About
the
author:
Jurgita
Lapienytė,
Chief
Editor
at
CyberNews
Follow
me
on
Twitter:
@securityaffairs
and
Facebook
and
Mastodon
(SecurityAffairs –
hacking,
BMW
Italia)