Flüpke said he discovered the VW data problem by combining various coding tools, including Subfinder, GoBuster and Spring. Using these tools, Flüpke said he was able to retrieve the bulk from VW’s internal storage because it was not password protected. A heap dump lists various objects within the Java virtual machine (JVM), which can reveal information about memory usage. That should be used to monitor performance metrics and self-tests.
Inside that dump were listed, in plain text, various valid AWS credentials. When Flüpke confronted VW about the discovery of those credentials, he quoted the company as saying, “Access to information occurred through a complex multi-layered process.”
While that’s true, Flüpke said, and the backend isn’t intended for end users, rather it’s used to exchange tokens, “you can take an invalid userID to generate a JWT token, which is an authentication token without a password. That’s useful because you can give it a userID and suddenly you’re the one user. We can’t drive cars remotely with this, but we can authenticate with the API from this identity provider and access user data.”
Source link