Significant Data Exposure at Tata Motors Revealed
Recent disclosures by security researcher Eaton Zveare have unveiled alarming vulnerabilities within Tata Motors’ digital infrastructure, resulting in the exposure of more than 70 terabytes of sensitive data. This includes personal information of customers, crucial financial documents, and intricate fleet management data.
Initially identified during ethical hacking assessments conducted in 2023, the vulnerabilities—now publicly disclosed—pertain to hardcoded AWS access keys found on publicly accessible websites. This oversight has allowed unauthorized entry to numerous cloud storage repositories.
This incident underscores the persistent risks associated with the digital frameworks employed by major automotive manufacturers, potentially jeopardizing the data of millions of customers and dealerships.
The E-Dukaan platform, an online marketplace for vehicle spare parts, revealed plaintext AWS credentials embedded within its source code, thus affording anyone unrestricted access to extensive reservoirs of confidential information.
The compromised keys granted access to backups of customer databases, lists containing market intelligence, and hundreds of thousands of invoices, all disclosing sensitive details such as names, addresses, and Indian PAN numbers.
Data Breach Scale Highlighted
One particular cloud bucket stored approximately 40 GB of administrative order reports, emphasizing the staggering amount of commercial information put at risk.
Notably, Zveare observed that the keys were utilized solely to retrieve a minuscule 4 KB tax codes file, illuminating the disproportionate nature of the associated risks.
Security Flaws in the FleetEdge System
A similar dilemma afflicted FleetEdge, Tata’s fleet management solution, where AWS keys appeared to be encrypted in API responses but could be easily decrypted via client-side mechanisms.
This inadequate encryption—mirroring recent vulnerabilities uncovered within Intel—uncovered yet another cache of cloud buckets, encompassing a data lake containing over 70 TB of fleet insights dating back to 1996.
Not only could potential cyber adversaries download retrospective vehicle data, but they could also surreptitiously upload malware to interconnected sites, thereby exacerbating operational security concerns.
This revelation highlights significant deficiencies in key management practices within client-facing applications.
Adding to the array of risks, E-Dukaan’s code included a backdoor to Tableau dashboards, permitting passwordless entry for any user, including server administrators, via a “trusted token” method.
This vulnerability granted comprehensive access to internal projects, financial reports, dealer scorecards, and information on over 8,000 users.
Furthermore, an exposed Azuga API key in the JavaScript of the test drive site compromised fleet management for demonstration vehicles, potentially allowing real-time location tracking.
Zveare opted to cease further investigations to avert data exfiltration and confirmed that no malicious activities were detected during testing.
The vulnerabilities were officially reported to India’s CERT-In on August 8, 2023, yet efforts to remediate the situation extended until January 2024 amidst persistent follow-ups.
Tata Motors did confirm that fixes were implemented in 2023; however, there were no notifications dispatched to the affected parties, raising significant concerns regarding transparency.
As India’s largest automotive manufacturer, operating across 125 nations, such oversights severely undermine trust regarding data management practices among vehicle owners.
Experts advocate for improved code reviews and better secret rotation strategies to mitigate future vulnerabilities.
Source link: Cybersecuritynews.com.
