The Brazilian retailer for Volvo vehicles, Dimas Volvo, has been found to have leaked sensitive files through its website, potentially putting the personal information of its clients in danger. Cybernews, the research team that discovered the leak, informed both Dimas Volvo and Volvo’s data protection officers, and the issue has been fixed.
The leaked files included access to the retailer’s database authentication information, the URL for the Git repository where the website’s source code is stored, and email credentials for official communication channels.
Attackers could have used this information to infiltrate the company’s systems and steal sensitive data.
Volvo is an attractive target for criminals due to its wealthy clientele. It is not the only car manufacturer to suffer from a data breach recently. Cybernews also found that BMW and Toyota exposed sensitive files, potentially allowing attackers to steal their customer’s personal information.
BMW’s Italy website source code and customer information were at risk, while Toyota accidentally leaked access to its marketing tools for over one-and-a-half years, enabling phishing campaigns against its customers in Italy. The car industry, like many others, is failing to prevent data leaks.
The exposure of the Laravel application key is particularly dangerous because it could have allowed an attacker to decrypt user cookies, which can hold sensitive information such as credentials or session IDs.
By exploiting this data, an attacker could hijack a victim’s account. The leaked information also included metadata from the developer’s computer, which would allow attackers to identify the technologies employed in the website’s development and streamline techniques to compromise the website. The leaked email credentials could have enabled attackers to send phishing emails to customers from a trusted company’s email and access previous communication with the company’s customers.
The leak highlights the importance of data protection for companies and the need for preventative measures to be taken.
It also shows the potential risks associated with using third-party retailers to sell products. In this case, the vulnerability was caused by a security flaw in a third-party company, rather than in Volvo itself.
Companies must be vigilant in monitoring their third-party partners to ensure that their clients’ personal information remains protected.
