Flüpke said that he found the VW data problem by combining various coding tools, including Subfinder, GoBuster and Spring. Using the tools, Flüpke said that he was able to retrieve the heap dump from the VW internal environment because it was not password protected. A heap dump lists various objects within a Java Virtual Machine (JVM), which can reveal details about memory usage. That is supposed to be used for monitoring performance metrics and for introspection examinations.
Within that heap dump were listed, in plain text, various active AWS credentials. When Flüpke confronted VW with the discovery of those credentials, he quoted the company as saying, “the access to the data happened in a very complex multilayered process.”
While that is true, Flüpke said, and the backend is not meant for end users, rather used for token exchange, “you could take an arbitrary userID to generate a JWT token, which is an auth token without a password. That is useful because you can give it a userID and suddenly you are that user. We can’t pilot cars remotely with this, but we can authenticate with an API from this identity provider and access user data.”