A security researcher recently discovered a misconfigured cloud storage server linked to automotive giant BMW, inadvertently exposing sensitive company information. Can Yoleri, from SOCRadar, found the Microsoft Azure-hosted storage server, intended for BMW’s development environment, mistakenly set to public access due to misconfiguration.
Yoleri revealed that the exposed storage bucket contained script files disclosing Azure container access details, secret keys, and credentials for accessing private bucket addresses and other cloud services. Screenshots uncovered private keys and login credentials for BMW’s cloud services across regions like China, Europe, and the United States.
While the extent and duration of the exposure remain uncertain, BMW confirmed remedial action, affirming no customer or personal data was affected. However, details regarding the duration of exposure and potential malicious access remain unclear. Despite making the bucket private post-discovery, BMW has yet to revoke or modify the compromised access keys, raising concerns about lingering vulnerabilities.
This incident echoes a similar security lapse by Mercedes-Benz last month, underscoring the imperative for robust cybersecurity measures in the automotive industry.