入侵印度最大的汽车制造商：塔塔汽车

入侵印度最大的汽车制造商：塔塔汽车
Hacking India's largest automaker: Tata Motors

原始链接: https://eaton-works.com/2025/10/28/tata-motors-hack/

## 塔塔汽车安全漏洞：摘要一名安全研究人员在2023年发现了塔塔汽车多个网站的严重漏洞，导致可能超过70TB的敏感数据泄露。这些问题包括在E-Dukaan（备件市场）和FleetEdge（车队管理）上暴露的AWS密钥，允许访问包含客户数据库、发票、财务报告和数十年车队数据的众多S3存储桶。令人惊讶的是，有一组密钥使用了易于反转的加密方法，造成了虚假的安全性。进一步调查揭示了E-Dukaan的Tableau实现中存在一个关键的后门。通过利用注释代码，研究人员获得了未经授权的访问权限——最终获得了服务器管理员权限——而无需密码。此外，测试驾驶网站上的硬编码Azuga API密钥也危及了他们的车队管理系统。这些漏洞于2023年8月通过印度的CERT-IN报告给塔塔汽车。虽然最初得到了确认，但修复进展缓慢，需要反复跟进和详细的指示才能完全撤销暴露的AWS密钥。研究人员强调，考虑到塔塔汽车的规模以及这些泄露的潜在影响，缺乏基本的安全措施令人担忧。所有暴露的凭据现已轮换。

## 塔塔汽车与反复的安全漏洞 - 摘要一名安全研究人员在塔塔汽车的网站上发现了暴露的AWS密钥和注释中的凭据，可能授予对其基础设施的广泛访问权限。研究人员于2023年9月报告了该问题，但修复进展缓慢，需要反复跟进，甚至在CERT-IN的协助下也是如此。这起事件与之前对捷豹路虎（同样由塔塔拥有）的大规模黑客攻击相呼应，据估计给英国经济造成了25亿美元的损失。讨论的中心是塔塔咨询服务（TCS），一家塔塔集团公司，为塔塔汽车以及其他主要公司（如马莎百货和Co-op）提供技术服务——这些公司最近都经历了安全漏洞。许多评论员指出TCS内部存在安全缺陷的模式，将其归因于员工工资低、文化优先考虑速度而非质量以及缺乏对健全安全实践的投资等因素。担忧范围超出了TCS，一些人认为印度技术外包行业存在系统性问题，并质疑这些安全漏洞是由于无能还是潜在的内部参与。这起事件凸显了优先考虑成本节约而非安全以及彻底进行供应商尽职调查的重要性。

原文

Key Points / Summary

2 exposed AWS keys on public-facing websites revealed 70+ TB of sensitive information and infrastructure across hundreds of buckets.
Pointless AWS key encryption easily defeated.
Tableau backdoor made it possible to log in as anyone without a password, including the server admin. This exposed countless internal projects, financial reports, and dealer dashboards.
Exposed Azuga API key compromised test drive fleet management system.

If you are in the US and ask your friends and family if they have heard of “Tata Motors”, they would likely say no. However, if you go overseas, Tata Motors and the Tata Group in general are a massive, well-known conglomerate. Back in 2023, I took my hacking adventures overseas and found many vulnerabilities with Tata Motors. This post covers 4 of the most impactful findings I discovered that I am finally ready to share today. Let’s dive in!

Note that all secrets/credentials shown have been rotated, meaning they are no longer valid and cannot be used anymore. Additionally, no substantial amounts of data were downloaded as part of any testing, nor was there any obvious evidence of malicious access.

AWS Keys in E-Dukaan Marketplace

E-Dukaan is a Tata Motors site where their customers can buy spare parts for their vehicles. It’s a typical E-Commerce site, but it had a dark secret!

Can you see it? Right there, in plaintext, are AWS keys. For those unfamiliar, you NEVER EVER want to expose these because people can use them to download all your files stored on Amazon, upload malicious content, rack up massive bills, etc.

Intrigued, I put them into S3 Browser to see what it unlocked access to. The answer was.. basically everything. A long list of buckets packed with sensitive information. Here’s a few examples:

A customer database backup? Check ✅

Customer lists and market intelligence? Yup ✅

Hundreds of thousands of invoices for E-Dukaan containing customer information, like PAN? Of course ✅

Admin order reports? Absolutely ✅ (about 40 GB worth of reports in here)

You may be wondering, where was this AWS keyset actually used? What made it worth the risk of exposing so much? Answer: to download a 4 KB file containing tax codes:

Decryptable AWS Keys in FleetEdge

Finding the AWS keys in E-Dukaan was so easy that it felt like cheating. This next one was more challenging (but not by much).

FleetEdge is Tata Motors’ fleet management/tracking solution. More info is here. Looking at the API calls that are executed on site load as a guest user, one immediately stuck out:

Right there in the response is another set of AWS keys, but this time they were not plaintext – they appeared to be encrypted. A quick search of a decrypt method turned up the exact code, and setting a breakpoint there was enough to reveal the contents:

As recently seen with Intel, there seems to be a trend where developers will do this pointless client-side decryption. When the client has the key, it’s strange that anyone would think that would be secure. Maybe these devs knew what the E-Dukaan team was doing and wanted to (try) doing things a little better?

This set of AWS keys has a similarly serious impact. There was another long list of new buckets you could access. At one point, S3 Browser had estimated 70 TB in one bucket before it crashed. Here’s a few examples:

Fleet insights – this is where 70 TB+ of data was found. There was some datalake with files going back to 1996!

You also had write access to some websites. You could easily slip in some malware on the frontpage and wreak some havoc.

Backdoor admin access to Tableau

Note: This flaw is not believed to be linked to Tableau itself and instead was introduced by Tata Motors.

Let’s go back to E-Dukaan now. Turns out, it’s the gift that keeps on giving. Poking around the source code of the website, I came across some interesting code:

The first obvious issue was the username and password in the comments. If you look closer, you can see an HTTP call to get a “trusted token”. Crucially, it only needs username and site name (no password). Thanks to the code comment, we had a username to try. Performing the HTTP POST manually yielded a token!

*Definitely trust me, even though I have no password.*

When you plug that into the infoviz URL like the code does, you will be redirected to Tableau!

But there is more fun to be had. This user didn’t have access to much. Since we essentially had a backdoor into Tableau needing only username, we could in theory log in as anyone. One of the cards had the server admin as the owner, and it was possible to get the username that way:

With that in hand, I went through the same process of getting a token, and then I had total control over Tableau with access to everything. I didn’t dig too deep after this since it was a lot of sensitive corporate stuff, and I had proven the vulnerability at this point.

Azuga API Key Leak

Azuga is a fleet management platform. Tata Motors used it for their test drive website, presumably to keep tabs on where their cars are. Right there in the JS code was the Azuga token that should never have left the server. A quick API test was enough to confirm it was valid, and that is where I wrapped things up.

Timeline

Special thanks to India’s Computer Emergency Response Team (CERT-IN) for working with me on these disclosures.

All 4 issues were reported to Tata Motors through CERT-IN. Tata Motors was a bit slow in rotating the AWS keys. Given what was exposed, I had hoped they would have done it faster.

August 8, 2023: Reported. A response is received shortly after confirming they will take action with the concerned authority.
August 30, 2023: I request an update.
September 1, 2023: Tata Motors shared with CERT-IN (who then shared with me) that the issues are remediated.
September 3, 2023: I confirm only 2/4 issues were remediated and the AWS keys were still present on the websites, and active.
October 22, 2023: After no updates and finding the AWS issues still not remediated, I send over some more specific steps on what must be done.
October 23, 2023: They confirm receipt and are working on taking action. After this date and up until January 2, 2024, there were various back and forth emails trying to get Tata Motors to revoke the AWS keys. I am not sure if something was lost in translation, but it took a lot of pestering and specific instructions to get it done.

India’s largest automaker should be more secure

Compared to some of my other recent hacks, these weren’t anything super sophisticated. You just had to know where to look. Secrets leak all the time, but the impact is often tempered by the secret having limited access. In this case, having 2 sets of AWS keys leak with access to so much is incredibly concerning. When buying a car, you should be able to trust the automaker will take reasonable actions to keep your data secure. I hope Tata Motors does better in the future – someone else would have absolutely discovered these vulnerabilities at some point, and that would have been a much darker story.