Jump to content

Nissan GIT fail, admin/admin (Source code and some marketting data)

wanderingfool2
By wanderingfool2
in Tech News
 Share
Posted

Nissan has had some of their code leaked and some customer data when they setup a GIT server using the most secure username and password ever invented...admin/admin.  Obviously people found it and leaked it.

 

Quotes

Quote

The leak originated from a Git server that was left exposed on the internet with its default username and password combo of admin/adminTillie Kottmann, a Swiss-based software engineer, told ZDNet in an interview this week.

Kottmann, who learned of the leak from an anonymous source and analyzed the Nissan data on Monday, said the Git repository contained the source code of:

  • Nissan NA Mobile apps
  • some parts of the Nissan ASIST diagnostics tool
  • the Dealer Business Systems / Dealer Portal
  • Nissan internal core mobile library
  • Nissan/Infiniti NCAR/ICAR services
  • client acquisition and retention tools
  • sale / market research tools + data
  • various marketing tools
  • the vehicle logistics portal
  • vehicle connected services / Nissan connect things
  • and various other backends and internal tools

 

With the amount of source that was released, I am wondering whether there will be exploits found in the software that might allow for remote access to a vehicle (i.e. unlocking it, or doing other things that the mobile app can do).  It's does get a bit scary that they left so much of their code exposed with the default password.  Then again, it's another great example of how some of the old school car manufactures don't seem to worry as much about security and often lag behind.

 

Sources

https://www.bleepingcomputer.com/news/security/nissan-na-source-code-leaked-due-to-default-admin-admin-credentials/

https://www.zdnet.com/article/nissan-source-code-leaked-online-after-git-repo-misconfiguration/

3735928559 - Beware of the dead beef

Link to post
Share on other sites
Posted
3 hours ago, wanderingfool2 said:

Nissan has had some of their code leaked and some customer data when they setup a GIT server using the most secure username and password ever invented...admin/admin.

This is a failure of the software development community. When logging into something for the first time, it should be mandatory that the password be changed. Otherwise "do not pass GO, do not collect $200" . And no, you can't use 12345678, password, Password01, or any of those other silly useless variants that are typically found in a dictionary attack. 🙄

 

 

Link to post
Share on other sites
Posted
  • Author
1 hour ago, StDragon said:

This is a failure of the software development community. When logging into something for the first time, it should be mandatory that the password be changed. Otherwise "do not pass GO, do not collect $200" . And no, you can't use 12345678, password, Password01, or any of those other silly useless variants that are typically found in a dictionary attack. 🙄

 

 

I agree and disagree.  There does need to be more done in terms of the initial installation, and getting users to set new defaults...but at the same time, that isn't an excuse for a company to host very important information and not change a default password.

3735928559 - Beware of the dead beef

Link to post
Share on other sites
Posted

Don't worry they'll update it to the most secure password known

Spoiler

hunter2

 

PLEASE QUOTE ME IF YOU ARE REPLYING TO ME

Desktop Build: Ryzen 7 2700X @ 4.0GHz, AsRock Fatal1ty X370 Professional Gaming, 48GB Corsair DDR4 @ 3000MHz, RX5700 XT 8GB Sapphire Nitro+, Benq XL2730 1440p 144Hz FS

42U Server Rack: ISP Modem + UDM-SE + APC 3kVA UPS + 3x Dell Precision 5820 + TBD

Retro Build: Intel Pentium III @ 500 MHz, Dell Optiplex G1 Full AT Tower, 768MB SDRAM @ 133MHz, Integrated Graphics, Generic 1024x768 60Hz Monitor


 

Link to post
Share on other sites
Posted
7 hours ago, StDragon said:

This is a failure of the software development community. When logging into something for the first time, it should be mandatory that the password be changed. Otherwise "do not pass GO, do not collect $200" . And no, you can't use 12345678, password, Password01, or any of those other silly useless variants that are typically found in a dictionary attack. 🙄

 

 

Or like routers, have a random password already set as default.

Specs: Motherboard: Asus X470-PLUS TUF gaming (Yes I know it's poor but I wasn't informed) RAM: Corsair VENGEANCE® LPX DDR4 3200Mhz CL16-18-18-36 2x8GB

            CPU: Ryzen 9 5900X          Case: Antec P8     PSU: Corsair RM850x                        Cooler: Antec K240 with two Noctura Industrial PPC 3000 PWM

            Drives: Samsung 970 EVO plus 250GB, Micron 1100 2TB, Seagate ST4000DM000/1F2168 GPU: EVGA RTX 2080 ti Black edition

Link to post
Share on other sites
Posted
13 hours ago, yaboistar said:

remote access to a vehicle?

 

oh, PLEASE. give us a cyberpunk "call your vehicle" button complete with IRL physics glitches

Only if it only costs $100 to completely replace a destroyed vehicle. :D

"Don't fall down the hole!" ~James, 2022

 

"If you have a monitor, look at that monitor with your eyeballs." ~ Jake, 2022

Link to post
Share on other sites
Posted

Who would win?

 

admin/admin

 

VS

 

username/password

The Workhorse (AMD-powered custom desktop)

CPU: AMD Ryzen 7 3700X | GPU: MSI X Trio GeForce RTX 2070S | RAM: XPG Spectrix D60G 32GB DDR4-3200 | Storage: 512GB XPG SX8200P + 2TB 7200RPM Seagate Barracuda Compute | OS: Microsoft Windows 10 Pro

 

The Portable Workstation (Apple MacBook Pro 16" 2021)

SoC: Apple M1 Max (8+2 core CPU w/ 32-core GPU) | RAM: 32GB unified LPDDR5 | Storage: 1TB PCIe Gen4 SSD | OS: macOS Monterey

 

The Communicator (Apple iPhone 13 Pro)

SoC: Apple A15 Bionic | RAM: 6GB LPDDR4X | Storage: 128GB internal w/ NVMe controller | Display: 6.1" 2532x1170 "Super Retina XDR" OLED with VRR at up to 120Hz | OS: iOS 15.1

Link to post
Share on other sites
Posted
13 hours ago, StDragon said:

This is a failure of the software development community. When logging into something for the first time, it should be mandatory that the password be changed. Otherwise "do not pass GO, do not collect $200" . And no, you can't use 12345678, password, Password01, or any of those other silly useless variants that are typically found in a dictionary attack. 🙄

I'd go even further than that. Default credentials should not be a thing, any device/software that requires a secure login should require the user to create it at the point of installation before working at all.

Main Rig:-

Ryzen 7 3800X | Asus ROG Strix X570-F Gaming | 16GB Team Group Dark Pro 3600Mhz | Corsair MP600 1TB PCIe Gen 4 | Sapphire 5700 XT Pulse | Corsair H115i Platinum | WD Black 1TB | WD Green 4TB | EVGA SuperNOVA G3 650W | Asus TUF GT501 | Samsung C27HG70 1440p 144hz HDR FreeSync 2 | Ubuntu 20.04.2 LTS |

 

Server:-

Intel NUC running Server 2019 + Synology DSM218+ with 2 x 4TB Toshiba NAS Ready HDDs (RAID0)

Link to post
Share on other sites
Posted
17 hours ago, yaboistar said:

remote access to a vehicle?

 

oh, PLEASE. give us a cyberpunk "call your vehicle" button complete with IRL physics glitches

New BMW i8 summoned straight in your face.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing Tech News

×