Security flaws in a carmaker’s web portal let one hacker remotely unlock cars from anywhere
A security researcher discovered vulnerabilities in a carmaker’s online dealership portal, allowing potential remote access to vehicles and sensitive customer data.
A security researcher has uncovered significant flaws in a carmaker’s online dealership portal that exposed the private information of customers and could have enabled hackers to remotely access vehicles.
Eaton Zveare, a security researcher at Harness, discovered that the vulnerabilities allowed the creation of an admin account with full access to the carmaker’s centralized web portal.
This access could have allowed a hacker to view personal and financial data, track vehicles, and even pair cars with mobile accounts to control vehicle functions remotely.
The flaws were traced to an issue with the portal’s login system, where buggy code in the user’s browser allowed bypassing login security checks.
Once inside, the hacker could access data from over 1,000 dealerships across the United States.
Zveare found a national consumer lookup tool that allowed users to search vehicle and driver data by entering just a customer’s name or car’s unique identification number.
He also demonstrated how the vulnerability could have enabled unauthorized access to car functions such as unlocking vehicles.
Additionally, Zveare identified that the portal allowed users to impersonate others, bypassing the need for login credentials, and access dealer systems linked via single sign-on.
He found personally identifiable information, financial details, and real-time location tracking of rental or courtesy cars.
Zveare reported the issue to the carmaker, who fixed the vulnerabilities within a week.
The flaws highlight the risks of poor authentication in securing sensitive data and vehicle control systems.
Eaton Zveare, a security researcher at Harness, discovered that the vulnerabilities allowed the creation of an admin account with full access to the carmaker’s centralized web portal.
This access could have allowed a hacker to view personal and financial data, track vehicles, and even pair cars with mobile accounts to control vehicle functions remotely.
The flaws were traced to an issue with the portal’s login system, where buggy code in the user’s browser allowed bypassing login security checks.
Once inside, the hacker could access data from over 1,000 dealerships across the United States.
Zveare found a national consumer lookup tool that allowed users to search vehicle and driver data by entering just a customer’s name or car’s unique identification number.
He also demonstrated how the vulnerability could have enabled unauthorized access to car functions such as unlocking vehicles.
Additionally, Zveare identified that the portal allowed users to impersonate others, bypassing the need for login credentials, and access dealer systems linked via single sign-on.
He found personally identifiable information, financial details, and real-time location tracking of rental or courtesy cars.
Zveare reported the issue to the carmaker, who fixed the vulnerabilities within a week.
The flaws highlight the risks of poor authentication in securing sensitive data and vehicle control systems.
