Wij willen met u aan tafel zitten en in een openhartig gesprek uitvinden welke uitdagingen en vragen er bij u spelen om zo, gezamelijk, tot een beste oplossing te komen. Oftewel, hoe kan de techniek u ondersteunen in plaats van dat u de techniek moet ondersteunen.

Mercedes-Benz car owners have said that the app they used to remotely locate, unlock and start their cars was displaying other people’s account and vehicle information.

TechCrunch spoke to two customers who said the Mercedes-Benz’ connected car app was pulling in information from other accounts and not their own, allowing them to see other car owners’ names, recent activity, phone numbers, and more.

The apparent security lapse happened late-Friday before the app went offline “due to site maintenance” a few hours later.

It’s not uncommon for modern vehicles these days to come with an accompanying phone app. These apps connect to your car and let you remotely locate them, lock or unlock them, and start or stop the engine. But as cars become internet-connected and hooked up to apps, security flaws have allowed researchers to remotely hijack or track vehicles.

One Seattle-based car owner told TechCrunch that their app pulled in information from several other accounts. He said that both he and a friend, who are both Mercedes owners, had the same car belonging to another customer, in their respective apps but every other account detail was different.

benz app 2

Screenshots of the Mercedes-Benz app showing another person’s vehicle, and exposed data belonging to another car owner. (Image: supplied)

The car owners we spoke to said they were able to see the car’s recent activity, including the locations of where it had recently been, but they were unable to track the real-time location using the app’s feature.

When he contacted Mercedes-Benz, a customer service representative told him to “delete the app” until it was fixed, he said.

The other car owner we spoke to said he opened the app and found it also pulled in someone else’s profile.

“I got in contact with the person who owns the car that was showing up,” he told TechCrunch. “I could see the car was in Los Angeles, where he had been, and he was in fact there,” he added.

He said that he wasn’t sure if the app has exposed his private information to another customer.

“Pretty bad fuck up in my opinion,” he said.

The first customer reported that the “lock and unlock” and the engine “start and stop” features did not work on his app, somewhat limiting the impact of the security lapse. The other customer said they did not attempt to test either feature.

It’s not clear how the security lapse happened or how widespread the problem was. A spokesperson for Daimler, the parent company of Mercedes-Benz, did not respond to a request for comment on Saturday.

According to Google Play’s rankings, more than 100,000 customers have installed the app.

A similar security lapse hit Credit Karma’s mobile app in August. The credit monitoring company admitted that users were inadvertently shown other users’ account information, including details about credit card accounts and balances. But despite disclosing other people’s information, the company denied a data breach.


TechCrunch

A hacker gained access to internal files and documents owned by security company and SSL certificate issuer Comodo by using an email address and password mistakenly exposed on the internet.

The credentials were found in a public GitHub repository owned by a Comodo software developer. With the email address and password in hand, the hacker was able to log into the company’s Microsoft-hosted cloud services. The account was not protected with two-factor authentication.

Jelle Ursem, a Netherlands-based security researcher who found the credentials, contacted Comodo vice president Rajaswi Das by WhatsApp to secure the account. The password was revoked the following day.

Ursem told TechCrunch that the account allowed him to access internal Comodo files and documents, including sales documents and spreadsheets in the company’s OneDrive — and the company’s organization graph on SharePoint, allowing him to see the team’s biographies, contact information including phone numbers and email addresses, photos, customer documents, calendar, and more.

comodo calendar

A screenshot of a staff calendar on Comodo’s internal site. (Image: supplied)

He also shared several screenshots of folders containing agreements and contracts with several customers — with the names of customers in each filename, such as hospitals and U.S. state governments. Other documents appeared to be Comodo vulnerability reports. Ursem’s cursory review of the data did not turn up any customer certificates private keys, however.

“Seeing as they’re a security company and give out SSL certificates, you’d think that the security of their own environment would come first above all else,” said Ursem.

But according to Ursem, he wasn’t the first person to find the exposed email address and password.

“This account has already been hacked by somebody else, who has been sending out spam,” he told TechCrunch. He shared a screenshot of a spam email sent out, purporting to offer tax refunds from the French finance ministry.

We reached out to Comodo for comment prior to publication. A spokesperson said the account was an “automated account used for marketing and transactional purposes,” adding: “The data accessed was not manipulated in any way and within hours of being notified by the researcher, the account was locked down.”

It’s the latest example of exposed corporate passwords found in public GitHub repositories, where developers store code online. All too often developers upload files inadvertently containing private credentials used for internal-only testing. Researchers like Ursem regularly scan repositories for passwords and report them to the companies, often in exchange for bug bounties.

Earlier this year Ursem found a similarly exposed set of internal Asus passwords on an employee’s GitHub public account. Uber was also breached in 2016 after hackers found internal credentials on GitHub.


TechCrunch

Created by R the Company. Powered by SiteMuze.