Hacking India's largest automaker: Tata Motors

Posted by EatonZ 10/29/2025

Hacking India's largest automaker: Tata Motors(eaton-works.com)

273 points | 99 commentspage 2

faridv 11/10/2025|

I'm just trying to understand, how is finding keys in plain sight termed as hacking?

guluarte 11/1/2025||

btw... some urls in this image contains js with vulnerabilities https://eaton-works.com/cdn-cgi/imagedelivery/VwwCqBIYNXeyNQ...

https://imgur.com/a/ybFcY5Y

https://imgur.com/Pf7ywbK

driverdan 11/1/2025||

I'm curious, why wait so long to publish this? The incident was in 2023.

chisleu 11/1/2025||

Total tangent, but I got to ride in some of these on a recent trip to India and I was really impressed with the build quality and utilitarian usefulness of the design.

coldfoundry 11/1/2025||

This might be the first time I felt disappointed and sad reading an article like this. The commented username and password felt like something from an early 2000s tv show with the tech guy doing “hacking”.

Wonder how many others stumbled upon this prior, and makes me also wonder how many other sites have things like this hidden in plain sight. Insane.

alephnerd 11/1/2025|

This may look "boring" or "uninspired" but this is what real cybersecurity and "hacking" looks like.

In most cases, security and QA are essentially two sides of the same coin - and this is why I get pissed when devs treat testing and QA as bulls**t, becuase even a relatively simple XSS attack or cred misconfig can have a massive impact.

hvb2 11/1/2025||

This has nothing to do with testing. This is a lack of training.

I would say they need to 'think like an attacker' at least some of the time. But this is still too high of a bar.

I think this is really a problem of rewarding people when they finish things. One way or the other. It works, so on to the next project...

alephnerd 11/1/2025|||

As someone who has been a SWE, PM, and VC in the cybersecurity space and constantly meets with CISOs as well as has formerly been a security practitioner (I should get back to using HackerOne again for fun), I can safely say that the overwhelming majority of security incidents are due to some form of misconfig because development and code review are orthogonal to proactive security checks.

Shift-left was supposed to fix that but it failed because the primary persona to sell ended up becoming the CISO again, and not trying to find a way to make security ownership a Dev and QA responsibility as well (this is largely organizational).

sumedh 11/1/2025|||

> This has nothing to do with testing.

A good QA can catch/test such security issues although most of such work is given to a dedicated pen tester to find weakness in the platform.

spprashant 10/31/2025||

This is embarrassing.

fred_is_fred 11/1/2025||

He would have had better results if he said "do the needful" in his first email to them.

qwertytyyuu 11/1/2025||

Woah Tata is everywhere, weren't they also the biggest youtube channel?

sreetamdas 11/1/2025|

I believe you're talking about T-Series? pretty sure they are not related

connectsnk 10/31/2025||

Are there any open source tools that scans the code and detects such gaffes

UltraMagnus 11/1/2025||

Not open source, but I have used this before, and they have a very generous free tier: https://www.gitguardian.com/monitor-internal-repositories-fo...

You install their Github app and give them access to your Github repo (private repos are ok too) and they run a Github workflow when each PR is submitted scanning for secrets that should not be in the code. Really happy with how their product works.

unsungNovelty 11/1/2025|||

If you weren't aware of it... There is a world of static application security tools (SAST) which can help you. Add them to your text editor/ci/cd to use them.

https://owasp.org/www-community/Source_Code_Analysis_Tools

EatonZ 11/1/2025|||

TruffleHog: https://trufflesecurity.com/trufflehog

I worked for them a little bit and their product is really impressive and works great.

heretoread9000 11/1/2025|||

trufflehog is a good starting point, then bake in your own simple regex into your github actions or equivalent and make it part of your test suite

vivzkestrel 11/1/2025||

stupid question, can we not make a regex for searching API keys for particular APIs and do a brute force scan across the internet

richbell 11/1/2025||

There are a number of products and open source tools that do this. Look up "secret scanning".

defraudbah 11/1/2025|

give this Uri Said by Deepak Gupta

More comments...