Photo by Artiom Vallat on Unsplash
BMW Security Flaw Exposed Sensitive Company Information
February 15, 2024
A faulty cloud storage server owned by premium car giant BMW revealed sensitive company information, which includes internal data and private keys, according to TechCrunch.
Speaking to TechCrunch, Can Yoleri, a security researcher at threat intelligence company SOCRadar, said that he spotted the exposed BMW cloud storage server when he was doing a regular scan of the internet.
Yoleri revealed that the exposed Microsoft Azure-hosted storage server, also referred to as a “bucket,” in BMW’s development space was “accidentally configured to be public instead of private due to misconfiguration.”
He added that the storage bucket had within it “script files that include Azure container access information, secret keys for accessing private bucket addresses, and details about other cloud services.”
Screenshots were shared with TechCrunch that show the exposed data, which entails login details for BMW’s production and development databases and personal keys for BMW’s cloud services in the U.S., China, and Europe.
It’s unclear at the moment as to the amount of data that was exposed or how long the cloud bucket was out there on the internet. Yoleri said, “Unfortunately, this is the biggest unknown in public bucket problems. Only the bucket owner can see how long it has actually been open.”
According to BMW spokesperson Chris Overall, the data exposure affected a Microsoft Azure bucket within a storage development environment, with no impact on customer or personal data. He added that “the BMW Group was able to fix this issue at the beginning of 2024, and we continue to monitor the situation together with our partners.”
BMW refrained from commenting on the duration of exposure or whether malicious groups had detected the storage bucket. Yoleri said there was no evidence to support this, however, he noted that it “does not mean it doesn’t exist.” He explained, “Even if the bucket has been made private, it was necessary to change these access keys. It doesn’t matter if the bucket is private anymore.”
Recent News
NHTSA Investigates Tesla Autopilot Again After Recent Software Update
Tesla Autopilot is once again the subject of an NHTSA investigation.
Home Depot Holds Halfway to Halloween Sale: Skelly’s Back
It’s halfway to spooky season, and Home Depot is celebrating.
Kaiser Discloses Health Insurance Data Breach
Health insurance company Kaiser is notifying millions of its current and former members about a data breach. The breach occurred when Kaiser shared patients’ information with third-party advertisers like Google, Microsoft, and X (formerly Twitter).
Satirical Site The Onion Acquired by Global Tetrahedron
The satirical news website, The Onion, has been sold by G/O Media to a group of digital media veterans.