Hacking India’s largest automaker: Tata Motors
Eaton • Oct 28, 2025
Copy Link Share
Key Points / Summary
2 exposed AWS keys on public-facing websites revealed 70+ TB of sensitive information and infrastructure across hundreds of buckets.
Pointless AWS key encryption easily defeated.
Tableau backdoor made it possible to log in as anyone without a password, including the server admin. This exposed countless internal projects, financial reports, and dealer dashboards.
Exposed Azuga API key compromised test drive fleet management system.
If you are in the US and ask your friends and family if they have heard of “Tata Motors”, they would likely say no. However, if you go overseas, Tata Motors and the Tata Group in general are a massive, well-known conglomerate. Back in 2023, I took my hacking adventures overseas and found many vulnerabilities with Tata Motors. This post covers 4 of the most impactful findings I discovered that I am finally ready to share today. Let’s dive in!
Note that all secrets/credentials shown have been rotated, meaning they are no longer valid and cannot be used anymore. Additionally, no substantial amounts of data were downloaded as part of any testing, nor was there any obvious evidence of malicious access.
... continue reading