Image: Daniel Demers
The source code of mobile applications and in-house tools developed and used by Nissan North America has been leaked online after the company misconfigured one of its Git servers.
The leak came from a Git server exposed on the Internet with its default username and password combination admin / admin, Tillie Kottmann, a Swiss software engineer, tells ZDNet in an interview this week.
Kottmann, who learned of the leak on Monday from an anonymous source and analyzed the Nissan data, said the Git repository contained the source code of:
- Nissan NA mobile applications
- some parts of the Nissan ASIST diagnostic tool
- the merchant business systems / merchant portal
- Nissan Internal Core Library
- Nissan / Infiniti NCAR / ICAR services
- tools for acquiring and retaining customers
- sales / market research tools + data
- different marketing tools
- the vehicle logistics portal
- vehicle-related services / things connected by Nissan
- and various other rear and internal tools
Image: ZDNet
SMAT / webscrape is a tool by the data science / market research team, which scrapes all current offers on cars according to zip code of https://t.co/5h9U6RLYge.
yes it’s a Nissan website.
a great culture if you have to scrape the website that another department has to get the necessary data.
(6 / n) pic.twitter.com/tIshObv8vl– tillie, criminal ππ€ππ€ (@antiproprietary) 4 January 2021
Nissan investigates leak
The Git server, a Bitbucket example, was taken offline yesterday after the data began circulating Monday in the form of torrent links shared on Telegram channels and hacking forums.
A Nissan spokesman confirmed the comments.
“We are aware of a claim regarding an improper disclosure of Nissan’s confidential information and source code. We take this type of matter seriously and conduct an investigation,” the Nissan representative said. ZDNet in an email.
The Swiss researchers received a tip about the Nissan Git server after they found in May 2020 a similar misconfiguration of the GitLab server that leaked the source code of various Mercedes Benz applications and tools.
Mercedes eventually acknowledged the leak, and Kottmann, who provided the leaked data, also removed it from their server at the request of the company.