Security Flaws in Tata Motors’ E-Dukaan Portal Exposed Sensitive Data

A series of security vulnerabilities in Indian automotive giant Tata Motors’ systems have been identified and rectified, which previously exposed sensitive internal data. This included personal information of customers, company reports, and data related to its dealers.

According to security researcher Eaton Zveare, the vulnerabilities were discovered in Tata Motors’ E-Dukaan unit. E-Dukaan is an e-commerce portal designed for purchasing spare parts for Tata-made commercial vehicles. As a major player in the automotive industry, Tata Motors is headquartered in Mumbai and produces a wide range of vehicles, including passenger cars, commercial vehicles, and defense vehicles. The company has a significant global presence, with operations in 125 countries and seven assembly facilities, as per its official website.

Zveare noted that the web source code of the E-Dukaan portal contained private keys that granted access to and allowed modification of data within Tata Motors’ Amazon Web Services (AWS) account. The researcher outlined the details of the discovery in a blog post, explaining how these exposed keys posed a significant security risk.

Among the exposed data were hundreds of thousands of invoices, each containing customer information such as names, mailing addresses, and permanent account numbers (PAN), a unique identifier issued by the Indian government. The researcher exercised restraint in handling the situation, avoiding any actions that could have triggered alarms or resulted in massive data egress bills for Tata Motors.

Further examination revealed MySQL database backups and Apache Parquet files, which included various bits of private customer information and communication. The AWS keys also provided access to over 70 terabytes of data related to Tata Motors’ FleetEdge fleet-tracking software. Additionally, Zveare found backdoor admin access to a Tableau account, which contained data on over 8,000 users.

With the level of access afforded by the exposed AWS keys, it was possible to view sensitive internal information, including financial reports, performance reports, dealer scorecards, and various dashboards. The exposed data also included API access to Tata Motors’ fleet management platform, Azuga, which is integral to the company’s test drive website.

Upon discovering these issues, Zveare promptly reported them to Tata Motors through the Indian Computer Emergency Response Team (CERT-In) in August 2023. By October 2023, Tata Motors had informed Zveare that it was addressing the AWS issues, having already secured the initial vulnerabilities. However, the company did not provide a specific timeline for when these issues were fully resolved.

Tata Motors has confirmed to TechCrunch that all reported vulnerabilities were fixed in 2023. However, the company has not disclosed whether it notified the affected customers about the exposure of their personal information.

In a statement, Sudeep Bhalla, the communications head at Tata Motors, said, “We can confirm that the reported flaws and vulnerabilities were thoroughly reviewed following their identification in 2023 and were promptly and fully addressed.” Bhalla also highlighted the company’s proactive approach to cybersecurity, mentioning regular audits by leading cybersecurity firms, comprehensive access logs to monitor for unauthorized activity,!and collaboration with industry experts to strengthen its security posture.