“Volkswagen’s Massive Data Leak Exposed: AWS Credentials Found Through Simple Tools”
In a shocking revelation, security researcher Flüpke discovered a massive data leak at Volkswagen (VW) by combining basic coding tools like Subfinder, GoBuster, and Spring. These tools allowed him to access a vulnerable heap dump from VW’s internal systems—something that was left unprotected by a simple password.
A heap dump, typically used to monitor performance metrics in Java Virtual Machines (JVM), revealed a treasure trove of sensitive data, including active AWS credentials listed in plain text. When Flüpke alerted VW, the company responded by citing a “complex multilayered process” for the data breach.
Despite the backend being designed for internal use, Flüpke pointed out a major security flaw: by using an arbitrary userID, he was able to generate a JWT (JSON Web Token) authentication token—granting access to the user’s data without a password. Although this didn’t allow remote control of vehicles, it did open the door to sensitive user data through an API.
This breach highlights the critical need for stronger security practices, especially when handling sensitive credentials in internal systems.
Flüpke said that he found the VW data problem by combining various coding tools, including Subfinder, GoBuster and Spring. Using the tools, Flüpke said that he was able to retrieve the heap dump from the VW internal environment because it was not password protected. A heap dump lists various objects within a Java Virtual Machine (JVM), which can reveal details about memory usage. That is supposed to be used for monitoring performance metrics and for introspection examinations.
Within that heap dump were listed, in plain text, various active AWS credentials. When Flüpke confronted VW with the discovery of those credentials, he quoted the company as saying, “the access to the data happened in a very complex multilayered process.”
While that is true, Flüpke said, and the backend is not meant for end users, rather used for token exchange, “you could take an arbitrary userID to generate a JWT token, which is an auth token without a password. That is useful because you can give it a userID and suddenly you are that user. We can’t pilot cars remotely with this, but we can authenticate with an API from this identity provider and access user data.”