Nissan : Git, default-set, Gone..

Git Server with default credentials

When you set up things that are connected to the internet, they generally require protection from unauthorized access. This protection is often provided by passwords. In most of these cases, a default password with a username is given for first time configuration. As a general security practice, you are supposed to change this password. Nissan (North America) forgot this basic security practice for their Bitbucket Git server.

Proprietary source code stolen

The repository contained proprietary source code for Nissan mobile apps, diagnostics tool, dealer portal, Nissan internal core mobile library, client acquisition and retention tools, sales/marketing research tools and data, vehicle logistics portal and various other internal tools.

The Swiss based software engineer, Tillie Kottmann learned of the leak from an anonymous source and said that the leak originated from a Git server exposed to the internet with the credentials admin/admin, as username and password, in an interview with ZDNet. Close to 20GB of the data is now available to download using a torrent link. Nissan has said that the leaked data/code does not expose their customers or their vehicles.

Passwordless Authentication

During the configuration of servers it is easy to just use the configuration used for testing in deployment and forget to change the password. It is also not easy to set and remember a strong admin password without using a password manager, which is not practical when multiple users are using the application. It is also susceptible to phishing attacks.

Going passwordless rather than changing default passwords helps reduce attack surface and unauthorised access in a far better way. 

Our PureAuth platform integrates with GitHub as well as other SAML enabled applications and makes an enterprise more secure and resilient.