\n<\/p>\n
A security researcher said flaws in a carmaker\u2019s online dealership portal exposed the private information and vehicle data of its customers, and could have allowed hackers to remotely break into any of its customers\u2019 vehicles.<\/p>\n
Eaton Zveare, who works as a security researcher at software delivery company Harness, told TechCrunch the flaw he discovered allowed the creation of an admin account that granted \u201cunfettered access\u201d to the unnamed carmaker\u2019s centralized web portal.<\/p>\n
With this access, a malicious hacker could have viewed the personal and financial data of the carmaker\u2019s customers, track vehicles, and enroll customers in features that allow owners \u2014 or the hackers \u2014 control some of their car\u2019s functions from anywhere.<\/p>\n
Zveare said he doesn\u2019t plan on naming the vendor, but said it was a widely known automaker with several popular sub-brands.\u00a0<\/p>\n
In an interview with TechCrunch ahead of his talk at the Def Con security conference in Las Vegas on Sunday, Zveare said the bugs put a spotlight on the security of these dealership systems, which grant their employees and associates broad access to customer and vehicle information.<\/p>\n
Zveare, who has found bugs in carmakers\u2019 customer systems<\/a> and vehicle management systems<\/a> before, found the flaw earlier this year as part of a weekend project, he told TechCrunch.\u00a0<\/p>\n He said while the security flaws in the portal\u2019s login system was a challenge to find, once he found it, the bugs let him bypass the login mechanism altogether by permitting him to create a new \u201cnational admin\u201d account.\u00a0<\/p>\n The flaws were problematic because the buggy code loaded in the user\u2019s browser when opening the portal\u2019s login page, allowing the user \u2014 in this case, Zveare \u2014 to modify the code to bypass the login security checks. Zveare told TechCrunch that the carmaker found no evidence of past exploitation, suggesting he was the first to find it and report it to the carmaker.<\/p>\n When logged in, the account granted access to more than 1,000 of the carmakers\u2019 dealers across the United States, he told TechCrunch.<\/p>\n \u201cNo one even knows that you\u2019re just silently looking at all of these dealers\u2019 data, all their financials, all their private stuff, all their leads,\u201d said Zveare, in describing the access.<\/p>\n Zveare said one of the things he found inside the dealership portal was a national consumer lookup tool that allowed logged-in portal users to look-up the vehicle and driver data of that carmaker.\u00a0<\/p>\n In one real-world example, Zveare took a vehicle\u2019s unique identification number from the windshield of a car in a public parking lot and used the number to identify the car\u2019s owner. Zveare said the tool could be used to look-up someone using only a customer\u2019s first and last name.<\/p>\n With access to the portal, Zveare said it was also possible to pair any vehicle with a mobile account, which allows customers to remotely control some of their car\u2019s functions from an app, such as unlocking their cars.<\/p>\n Zveare said he tried this out in a real-world example using a friend\u2019s account and with their consent. In transferring ownership to an account controlled by Zveare, he said the portal requires only an attestation \u2014 effectively a pinky promise \u2014 that the user performing the account transfer is legitimate.\u00a0<\/p>\n \u201cFor my purposes, I just got a friend who consented to me taking over their car, and I ran with that,\u201d Zveare told TechCrunch. \u201cBut [the portal] could basically do that to anyone just by knowing their name \u2014 which kind-of freaks me out a bit \u2014 or I could just look up a car in the parking lots.\u201d<\/p>\n Zveare said he did not test whether he could drive away, but said the exploit could be abused by thieves to break into and steal items from vehicles, for example.<\/p>\n Another key problem with access to this carmaker\u2019s portal was that it was possible to access other dealer\u2019s systems linked to the same portal through single sign-on, a feature that allows users to login into multiple systems or applications with just one set of login credentials. Zveare said the carmaker\u2019s systems for dealers are all interconnected so it\u2019s easy to jump from one system to another.<\/p>\n With this, he said, the portal also had a feature that allowed admins, such as the user account he created, to \u201cimpersonate\u201d other users, effectively allowing access to other dealer systems as if they were that user without needing their logins. Zveare said this was similar to a feature found in a Toyota dealer portal discovered in 2023<\/a>.<\/p>\n \u201cThey\u2019re just security nightmares waiting to happen,\u201d said Zveare, speaking of the user-impersonation feature.\u00a0<\/p>\n Once in the portal Zveare found personally identifiable customer data, some financial information, and telematics systems that allowed the real-time location tracking of rental or courtesy cars, as well as cars being shipped across the country, and the option to cancel them \u2014 though, Zveare didn\u2019t try.<\/p>\n Zveare said the bugs took about a week to fix in February 2025 soon after his disclosure to the carmaker.<\/p>\n \u201cThe takeaway is that only two simple API vulnerabilities blasted the doors open, and it\u2019s always related to authentication,\u201d said Zveare. \u201cIf you\u2019re going to get those wrong, then everything just falls down.\u201d<\/p>\n<\/div>\n