Heimdal
Home > Cybersecurity News

Warning! BMW Security Flaw Jeopardises Business Secrets and Clients` Data

Researchers Discovered an Unprotected Environment and .Git Configuration Files on BMW Italy Site.

Last updated on March 10, 2023

article featured image

Contents:

The famous BMW luxury cars brand unproperly secured its system and exposed extremely sensitive files to the public. Threat actors had enough time to exploit the data to steal source code and even get BMW customer data.

How Were Clients` Data and the Website`S Source Code Put at Risk

In February, researchers discovered that an unprotected environment (.env) and .git configuration files were hosted on the official BMW Italy site. This could enable malicious actors to find out information about the system and access the customer database.

The discovery illustrates that even well-known and trusted brands can have severely insecure configurations, allowing attackers to breach their systems in order to steal customer information or move laterally through the network. Customer information from such sources is especially valuable for cybercriminals, given that customers of luxury car brands often have more savings that could potentially be stolen.

Source

What Customer Info Does BMW Store?

BMW Italy’s website collects a variety of user data, like name, home and email address, and phone numbers. These alone could be enough for a threat group to use in a phishing campaign.

But BMW also knows:

  • what car do you have and all the technical info about it
  • phone location. If you have BMW or Mini apps installed and connected, a hacker could know if you are in the car or far away.
  • how much did it cost and other contract details.
  • your online account’s data

Technically, all this information is protected, but you should still check weird-looking emails and keep an eye on your banking data.

What Should BMW Do to Protect Their Data

According to researchers, BMW should enforce a series of security best practices:

  • Reset the GitLab CI token. Otherwise, hackers could clone the .git repository and exploit other vulnerabilities.
  • Change MySQL and PostgreSQL database credentials.
  • They should also change ports and IP of the host, as a measure to prevent data leakage.
  • Change the ports that administrative portals use to listen to incoming connections. Hackers might try to use port scanning to launch their attacks more effectively.

And if you liked this article, follow us on LinkedInTwitterFacebook, and YouTube for more cybersecurity news and topics.

Author Profile

Livia Gyongyoși

Communications and PR Officer

Livia Gyongyoși is a Communications and PR Officer within Heimdal®, passionate about cybersecurity. Always interested in being up to date with the latest news regarding this domain, Livia's goal is to keep others informed about best practices and solutions that help avoid cyberattacks.

Related Articles

What Is Vulnerability Scanning: Definition, Types, Best PracticesWhat Is a Port Scan Attack? Definition and Prevention Measures for EnterprisesGit Patches Two Vulnerabilities With Critical Security LevelStatic Vs Dynamic IPs: Differences, Similarities and Cybersecurity ConsiderationsWhat Is Data Leakage?What Is Email Security?Phishing attacks explained: How it works, Types, Prevention and Statistics

Leave a Reply

Your email address will not be published. Required fields are marked *

CHECK OUR SUITE OF 11 CYBERSECURITY SOLUTIONS

SEE MORE
linkedin
youtube
facebook
x

resources

company

newsletter

© 2024 Heimdal®

Vat No. 35802495, Vester Farimagsgade 1, 2 Sal, 1606 København V