Security researcher Eaton Zveare has disclosed critical vulnerabilities in Tata Motors’ systems that exposed over 70 terabytes of sensitive data, including customer personal information, financial reports, and fleet management details.
The flaws, uncovered during ethical hacking in 2023 but publicly shared only now, involved hardcoded AWS access keys on public-facing websites, granting unauthorized access to hundreds of cloud storage buckets.
This breach highlights ongoing risks in major automakers’ digital infrastructure, potentially compromising data on millions of customers and dealers.
Tata Motors’ E-Dukaan platform, an e-commerce site for vehicle spare parts, contained plaintext AWS credentials directly in its source code, allowing anyone to access vast repositories of confidential files.
These keys unlocked customer database backups, lists with market intelligence, and hundreds of thousands of invoices revealing personal details like names, addresses, and Indian PAN numbers.
One bucket alone held about 40 GB of admin order reports, underscoring the sheer volume of exposed commercial data. Zveare noted that the keys were used merely to fetch a small 4 KB tax codes file, a minimal justification for such extensive risks.
Decryptable Credentials in FleetEdge System
A similar issue plagued FleetEdge, Tata’s fleet tracking solution, where AWS keys appeared encrypted in API responses but were easily decrypted via client-side code.
This “pointless” encryption, akin to recent flaws at Intel, exposed another trove of buckets, including a datalake with over 70 TB of fleet insights dating back to 1996.
Attackers could not only download historical vehicle data but also upload malware to connected websites, amplifying the threat to operational security. The discovery emphasized poor key management practices in client-facing applications.
Compounding the risks, E-Dukaan’s code included a backdoor to Tableau dashboards, enabling passwordless logins as any user, including the server admin, via a “trusted token” mechanism.
This granted full access to internal projects, financial reports, dealer scorecards, and data on over 8,000 users. Separately, an exposed Azuga API key in the test drive website’s JavaScript compromised fleet management for demonstration vehicles, potentially revealing real-time location tracking. Zveare halted deeper probes to avoid data exfiltration, confirming no malicious activity during testing.
The vulnerabilities were reported through India’s CERT-In on August 8, 2023, but remediation dragged on until January 2024 amid repeated follow-ups. Tata Motors confirmed fixes in 2023 without notifying affected parties, raising questions about transparency.
As India’s largest automaker, operating in 125 countries, such lapses erode trust in data handling for vehicle owners. Experts urge enhanced code reviews and secret rotation to prevent future exposures.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
