Nissan’s source code was leaked online after the Git repository was incorrectly configured

The source code for mobile apps and internal tools developed and used by Nissan North America leaked online after the company incorrectly configured one of its Git servers.

The leak originated from a Git server that was left exposed on the internet with its default username and password combination admin / admin, Tillie Kottmann, a Swiss-based software engineer, said ZDNet in an interview this week.

Kottmann, who learned of the leak from an anonymous source and analyzed Nissan’s data on Monday, said the Git repository contained the source code for:

• Nissan NA Mobile Applications
• parts of the Nissan ASIST diagnostic tool
• the Dealer Business Systems / Dealer Portal
• Nissan’s internal mobile library
• Nissan / Infiniti NCAR / ICAR Services
• customer acquisition and retention tools
• sales / market research tools + data
• various marketing tools
• the vehicle logistics portal
• connected vehicle services / Nissan Connect Things
• and several other internal backends and tools

Nissan is investigating the leak

The Git server, an instance of Bitbucket, was taken offline yesterday after data started circulating on Monday in the form of shared torrent links on Telegram channels and hacker forums.

Asked to comment, a Nissan spokesman confirmed the incident.

“We are aware of a complaint about the improper disclosure of Nissan’s confidential information and source code. We take this type of matter seriously and are conducting an investigation,” said the Nissan representative. ZDNet in an email.

Swiss researchers received a tip about Nissan’s Git server after they found a poorly configured GitLab server in May 2020, which leaked the source code for various Mercedes Benz applications and tools.

Mercedes eventually admitted to the leak, and Kottmann, which hosted the leaked data, also removed it from its server at the company’s request.