Toyota Suffers Data Breach from Exposed Access Key Publicly Available on GitHub
The breach
Almost 300,000 email addresses and customer management numbers were leaked recently from Toyota, one of the largest revenue producing automakers in the world. The breach was a result of leaked credentials by a third-party subcontractor on a publicly accessible GitHub repository. The repository hosted source code from the company’s infotainment system “T-Connect”, with the credentials in question being an access key relating to a T-Connect server.
The leak could be perceived as fortunate due to the duration of time the key had been present on the repository for, which reportedly was from 2017. The attacker was also not able to obtain any other sensitive information like customer names, phone numbers and credit card information – another potential silver lining. As a result, any potential attempts to use the obtained information in a phishing attack is weakened but still remains a possibility.
In attempts to calm customer nerves, Toyota informed all those affected via email about the breach and have set up a page for customers to verify if their email addresses have been leaked.
Source code and password theft
The root cause of this breach was a leak of sensitive information hard coded into application source code. This is a common occurrence within the realm of data breaches, as developers tend to find this solution to be a quick and easy method of facilitating authentication services, rather than incorporating secure practices like accessing credentials from secrets/access key management servers.
This news follows recent cases of source code related theft from large corporations such as Intel and LastPass, both who have been victim to hacks that leaked sensitive source code. It highlights the importance of both ensuring application source code is developed and stored securely, thus limiting the security risks organisations are exposed to.
How could this have been avoided?
As previously mentioned, it is best practice to ensure sensitive credentials are never hard coded into source code and instead provisioned through a credential provider like AWS’ HPC vault or Secrets Manager. Another alternative would be to prompt for a user password to authenticate to the relevant service; this could be done mechanisms like single-sign-on or OpenID Connect.
Ensuring code repositories are not publicly available would have also mitigated the risk of a breach occurring in this instance. Hosting critical data in private repositories ensures that the security risk to organisations is kept as low as possible.
References
Toyota Reveals Data Leak of 300,000 Customers – Infosecurity Magazine (infosecurity-magazine.com)
Toyota Suffers Data Breach from “Mistakenly” Exposed Access Key on GitHub | Spiceworks 1
Fortinet Critical Authentication Bypass Bug Actively Exploitable
The Vulnerability
Fortinet are a widely known cyber security solutions provider headquartered in Sunnyvale, California. They are probably best known for their range of network devices and firewalls. Their devices run their proprietary software which is at the centre of the identified vulnerability. Dubbed CVE-2022-40684, the vulnerability impacts FortiOS versions from 7.0.0 to 7.0.6 and from 7.2.0 to 7.2.1. FortiProxy versions from 7.0.0 to 7.0.6 and 7.2.0 are also impacted. This issue directly impacts FortiGate firewalls, FortiProxy web proxies and the FortiSwitchManager switch management product.
Technical Details
The vulnerability grants the attacker the ability to log on to vulnerable devices. This can be done using a specially crafted HTTP/S request resulting in a large scope for potential attackers to exploit. Any publicly facing administrative portals for both the firewalls and proxy devices are at risk of exploitation. The popularity of Fortinet and their products means they are usually a popular entry point for attackers to obtain initial access to a network and pivot to other internal assets.
Has it been fixed?
Fortinet were very quick to release information on how to remediate or work around the issue. Currently, their security advisory recommends upgrading to the following versions of their products
- FortiOS version 7.2.2 or above
- FortiOS version 7.0.7 or above
- FortiProxy version 7.2.1 or above
- FortiProxy version 7.0.7 or above
- FortiSwitchManager version 7.2.1 or above
They have also provided workarounds for customers who do not have the ability to implement any updates. Most workarounds involve disabling the HTTP/HTTPS administrative interface or restricting the IP addresses that can access the interface through the devices configuration file.
The Impact
With Fortinet’s popularity in the Cyber Security industry, malicious actors looking for new methods of obtaining initial access to sensitive and internal networks may have found their answer. Although their popularity may draw some unwanted attention, Fortinet’s speedy remediation and workaround releases attempt to reduce the exploitation risk and ensure their customers remain secure.
References
PSIRT Advisories | FortiGuard
Fortinet Warns of Active Exploitation of Newly Discovered Critical Auth Bypass Bug (thehackernews.com)
