Nissan NA source code leaked due to default admin:admin credentials

Multiple code repositories from Nissan North America became public this week after the company left an exposed Git server protected with default access credentials.

The entire collection is around 20 gigabytes large and contains source code for mobile apps and various tools used by Nissan internally for diagnostics, client acquisition, market research, or NissanConnect services.

It is unclear if Nissan learned about the leak by itself or received a tip, but the company took down the insecure server on Tuesday before media outlets started publishing news of the incident.

Complete git repos dump

Swiss developer and reverse engineer Tillie Kottmann, who maintains a repository of leaked source code from various sources and their scouting of misconfigured devops tools, posted a summary of the Nissan leak:

• Nissan NA Mobile apps
• Parts of the ASIST Diagnostic System software
• Dealer Business Systems/Dealer Portal
• Nissan internal core mobile library
• Nissan/Infiniti NCAR/ICAR services
• Client acquisition and retention tools
• Sale/market research tools and data
• Various marketing tools
• Vehicle logistics portal
• Vehicle connected services/Nissan connect things
• Various other backends and internal tools

Kottmann told BleepingComputer that someone had informed them of the server and the admin/admin access credentials. Once the word got out, a torrent link for Nissan source code collection started being shared online; so despite Nissan's effort, the data remains in the hands of unauthorized third-parties.

Repository pulled

In a conversation with Kottmann, they said that the company contacted them about hosting the repositories and that they would likely remove them. It happened on Thursday.

The developer told us on a different occasion that they comply with takedown requests and are even willing to provide tips for improving the security of a company's infrastructure if asked.

Their public repository on GitLab contains folders with data from big companies like Pepsi, Toyota, SunTech, AMD, Motorola, Mediatek, Sierra Nevada Corporation, or the U.S. Air Force Research Laboratory.

Although not all folders have sensitive data they may contain information meant to be private or that could lead to protected assets.