Nissan source code leaked due to Git repo misconfiguration

Nissan was allegedly running a Bitbucket Git server with the default credentials of admin/admin.

Get real time updates directly on you device, subscribe now.

The source code of mobile apps and internal tools developed and used by Nissan North America has leaked online after the company misconfigured one of its Git servers.

“We are aware of a claim regarding a reported improper disclosure of Nissan’s confidential information and source code,” said a Nissan spokesperson. “We take this type of matter seriously and are conducting an investigation.”

Tillie Kottmann, a software engineer, publicized the apparently leaked information earlier this week on Twitter and Telegram. They told CyberScoop the information came via a “severely mismanaged” server that had the username and password of “admin:admin.”

“I was informed about the server by an anonymous source but acquired it myself and can thus mostly verify it,” Kottmann said via a Twitter direct message exchange. Kottmann said they also heard some ex-Nissan employees recognized projects there.

Kottmann, who learned of the leak from an anonymous source and analyzed the Nissan data on Monday, said the Git repository contained the source code of:

  • Nissan NA Mobile apps
  • some parts of the Nissan ASIST diagnostics tool
  • the Dealer Business Systems / Dealer Portal
  • Nissan internal core mobile library
  • Nissan/Infiniti NCAR/ICAR services
  • client acquisition and retention tools
  • sale / market research tools + data
  • various marketing tools
  • the vehicle logistics portal
  • vehicle connected services / Nissan connect things
  • and various other backends and internal toolsnissan-content.png