Hacking India’s largest automaker: Tata Motors

Eaton •

Key Points / Summary

If you are in the US and ask your friends and family if they have heard of “Tata Motors”, they would likely say no. However, if you go overseas, Tata Motors and the Tata Group in general are a massive, well-known conglomerate. Back in 2023, I took my hacking adventures overseas and found many vulnerabilities with Tata Motors. This post covers 4 of the most impactful findings I discovered that I am finally ready to share today. Let’s dive in!

Note that all secrets/credentials shown have been rotated, meaning they are no longer valid and cannot be used anymore. Additionally, no substantial amounts of data were downloaded as part of any testing, nor was there any obvious evidence of malicious access.

AWS Keys in E-Dukaan Marketplace

E-Dukaan is a Tata Motors site where their customers can buy spare parts for their vehicles. It’s a typical E-Commerce site, but it had a dark secret!

Can you see it? Right there, in plaintext, are AWS keys. For those unfamiliar, you NEVER EVER want to expose these because people can use them to download all your files stored on Amazon, upload malicious content, rack up massive bills, etc.

Intrigued, I put them into S3 Browser to see what it unlocked access to. The answer was.. basically everything. A long list of buckets packed with sensitive information. Here’s a few examples:

A customer database backup? Check ✅

Customer lists and market intelligence? Yup ✅

Hundreds of thousands of invoices for E-Dukaan containing customer information, like PAN? Of course ✅

Admin order reports? Absolutely ✅ (about 40 GB worth of reports in here)

You may be wondering, where was this AWS keyset actually used? What made it worth the risk of exposing so much? Answer: to download a 4 KB file containing tax codes:

The code where the keys are used.
The file that gets downloaded.

Decryptable AWS Keys in FleetEdge

Finding the AWS keys in E-Dukaan was so easy that it felt like cheating. This next one was more challenging (but not by much).

FleetEdge is Tata Motors’ fleet management/tracking solution. More info is here. Looking at the API calls that are executed on site load as a guest user, one immediately stuck out:

Right there in the response is another set of AWS keys, but this time they were not plaintext – they appeared to be encrypted. A quick search of a decrypt method turned up the exact code, and setting a breakpoint there was enough to reveal the contents:

As recently seen with Intel, there seems to be a trend where developers will do this pointless client-side decryption. When the client has the key, it’s strange that anyone would think that would be secure. Maybe these devs knew what the E-Dukaan team was doing and wanted to (try) doing things a little better?

This set of AWS keys has a similarly serious impact. There was another long list of new buckets you could access. At one point, S3 Browser had estimated 70 TB in one bucket before it crashed. Here’s a few examples:

Fleet insights – this is where 70 TB+ of data was found. There was some datalake with files going back to 1996!

You also had write access to some websites. You could easily slip in some malware on the frontpage and wreak some havoc.

Backdoor admin access to Tableau

Note: This flaw is not believed to be linked to Tableau itself and instead was introduced by Tata Motors.

Let’s go back to E-Dukaan now. Turns out, it’s the gift that keeps on giving. Poking around the source code of the website, I came across some interesting code:

The first obvious issue was the username and password in the comments. If you look closer, you can see an HTTP call to get a “trusted token”. Crucially, it only needs username and site name (no password). Thanks to the code comment, we had a username to try. Performing the HTTP POST manually yielded a token!

Definitely trust me, even though I have no password.

When you plug that into the infoviz URL like the code does, you will be redirected to Tableau!

But there is more fun to be had. This user didn’t have access to much. Since we essentially had a backdoor into Tableau needing only username, we could in theory log in as anyone. One of the cards had the server admin as the owner, and it was possible to get the username that way:

With that in hand, I went through the same process of getting a token, and then I had total control over Tableau with access to everything. I didn’t dig too deep after this since it was a lot of sensitive corporate stuff, and I had proven the vulnerability at this point.

Azuga API Key Leak

Azuga is a fleet management platform. Tata Motors used it for their test drive website, presumably to keep tabs on where their cars are. Right there in the JS code was the Azuga token that should never have left the server. A quick API test was enough to confirm it was valid, and that is where I wrapped things up.

Timeline

Special thanks to India’s Computer Emergency Response Team (CERT-IN) for working with me on these disclosures.

All 4 issues were reported to Tata Motors through CERT-IN. Tata Motors was a bit slow in rotating the AWS keys. Given what was exposed, I had hoped they would have done it faster.

India’s largest automaker should be more secure

Compared to some of my other recent hacks, these weren’t anything super sophisticated. You just had to know where to look. Secrets leak all the time, but the impact is often tempered by the secret having limited access. In this case, having 2 sets of AWS keys leak with access to so much is incredibly concerning. When buying a car, you should be able to trust the automaker will take reasonable actions to keep your data secure. I hope Tata Motors does better in the future – someone else would have absolutely discovered these vulnerabilities at some point, and that would have been a much darker story.

Subscribe to new posts

Get an email notification every time something new is published.
📧