Indian automotive giant Tata Motors has fixed a series of security flaws that exposed sensitive internal data, including personal information of customers, company reports, and data related to its dealers.
Security researcher Eaton Zveare told TechCrunch that he discovered the flaws in Tata Motors’ E-Dukaan unit, an e-commerce portal for buying spare parts for Tata-made commercial vehicles. Headquartered in Mumbai, Tata Motors produces passenger cars, as well as commercial and defense vehicles. The company has a presence in 125 countries worldwide and seven assembly facilities, per its website.
Zveare said he found that the portal’s web source code included the private keys to access and modify data within Tata Motors’ account on Amazon Web Services, the researcher said in a blog post.
The exposed data, Zveare told TechCrunch, included hundreds of thousands of invoices containing customer information, such as their names, mailing addresses, and permanent account number, or PAN, a ten-character unique identifier issued by the Indian government.
“Out of respect for not causing some type of alarm bell or massive egress bill at Tata Motors, there were no attempts to exfiltrate large amounts of data or download excessively large files,” the researcher told TechCrunch.
There were also MySQL database backups and Apache Parquet files that included various bits of private customer information and communication, the researcher noted.
The AWS keys also enabled access to over 70 terabytes of data related to Tata Motors’ FleetEdge fleet-tracking software. Zveare also found backdoor admin access to a Tableau account, which included data of over 8,000 users.
Techcrunch event 2-FOR-1 DISCOUNT: Bring a +1 and save 60% Google Cloud, Netflix, Microsoft, Box, Phia, a16z, ElevenLabs, Wayve, Hugging Face, Elad Gil, Vinod Khosla — some of the 250+ heavy hitters leading 200+ sessions designed to deliver the insights that fuel startup growth and sharpen your edge. And don’t miss 300+ showcasing startups in all sectors.
Bring a +1 and save 60% on their pass, or get your pass by Oct 27 to save up to $444. 2-FOR-1 DISCOUNT: Bring a +1 and save 60% Google Cloud, Netflix, Microsoft, Box, Phia, a16z, ElevenLabs, Wayve, Hugging Face, Elad Gil, Vinod Khosla — some of the 250+ heavy hitters leading 200+ sessions designed to deliver the insights that fuel startup growth and sharpen your edge. And don’t miss 300+ showcasing startups in all sectors. Bring a +1 and save 60% on their pass, or get your pass by Oct 27 to save up to $444. San Francisco | REGISTER NOW
... continue reading