Full Report
Security researcher Eaton Zveare disclosed that in 2023 multiple public-facing Tata Motors applications (notably the E-Dukaan marketplace and the FleetEdge fleet product) contained hardcoded or client-recoverable cloud credentials and API tokens that allowed access to hundreds...
Analysis Summary
# Vulnerability: Hardcoded and Client-Recoverable Credentials in Tata Motors Cloud Infrastructure
## CVE Details
- **CVE ID**: N/A (As of the disclosure date, specific CVE identifiers have not been assigned to these proprietary application flaws).
- **CVSS Score**: Estimated 9.8 (Critical) based on unauthorized access to sensitive PII and administrative functions.
- **CWE**: CWE-798 (Use of Hardcoded Credentials), CWE-312 (Cleartext Storage of Sensitive Information).
## Affected Systems
- **Products**:
- Tata Motors E-Dukaan (Spare parts marketplace)
- Tata Motors FleetEdge (Fleet management platform)
- CRM systems and employee portals
- **Versions**: All versions accessible via public-facing web/mobile interfaces during the 2023 discovery period.
- **Configurations**: Publicly accessible web applications and Android application packages (APKs).
## Vulnerability Description
The flaw involved the improper storage and exposure of sensitive credentials within client-side code and mobile application binaries.
1. **Hardcoded Credentials**: Azure Storage account keys and Firebase API keys were embedded directly into the source code of front-end applications.
2. **Client-Recoverable Tokens**: Internal API tokens were accessible via browser developer tools or by decompiling Android APKs.
3. **Insecure API Design**: Several internal APIs lacked proper authorization checks, trusting the presence of a hardcoded token to grant administrative access to backend databases.
## Exploitation
- **Status**: Disclosed by security researcher; no evidence of active exploitation in the wild prior to discovery. PoC demonstrated by researcher Eaton Zveare.
- **Complexity**: Low (Requires basic knowledge of browser "Inspect Element" or APK decompilation tools).
- **Attack Vector**: Network (Remotely exploitable over the internet).
## Impact
- **Confidentiality**: High (Full access to millions of rows of customer PII, including names, addresses, and phone numbers; access to real-time GPS locations of fleet vehicles).
- **Integrity**: High (Ability to modify user accounts, alter orders, and potentially manipulate fleet management data).
- **Availability**: High (Potential to delete cloud storage blobs or disrupt marketplace services).
## Remediation
### Patches
- The vendor (Tata Motors) has deactivated the compromised API keys and revoked the exposed Azure Storage credentials.
- Backend authorization logic has been updated to validate requests via server-side session management rather than static tokens.
### Workarounds
- **Key Rotation**: Infrastructure teams rotated all leaked secrets.
- **Code Sanitization**: Removal of all sensitive strings from front-end Javascript and mobile binary builds.
## Detection
- **Indicators of Compromise**:
- Unusual access patterns to Azure Storage Blobs from randomized public IP addresses.
- Large-scale data exports from E-Dukaan or FleetEdge API endpoints.
- **Detection Methods and Tools**:
- **Static Analysis (SAST)**: Use tools like TruffleHog or Gitleaks to scan code repositories for hardcoded secrets.
- **Cloud Logging**: Monitor Azure Monitor and Firebase logs for administrative actions originating from non-Tata Motors IP ranges.
## References
- **Researcher Original Post**: hxxps[://]eaton-zveare[.]com/posts/tata-motors-vulnerabilities/
- **Vendor Home**: hxxps[://]www[.]tatamotors[.]com/
- **News Coverage**: hxxps[://]www[.]bleepingcomputer[.]com/news/security/tata-motors-fixes-leaks-exposing-sensitive-data-of-millions-of-users/