In an interview with TechCrunch ahead of his talk at the Def Con security conference in Las Vegas on Sunday, Zvere reported that the bugs put a spotlight on the security of those dealership systems, which granted their employees and associates access to customers' and vehicles' information. The flaw was found earlier this year and was part of a weekend project.
He also added that the security flaw in the portal’s login system was a challenge to find; however, once he found it, the bugs kept on coming, letting him bypass the login mechanism altogether by permitting him to create a new “national admin” account.
The flaws were problematic due to the buggy code loaded in the user’s browser when opening the portal’s login page, giving the users permission in this case. More so, the Zveare, reported for TechCrunch, that there was no evidence of past exploitation, suggesting that he was the first to find it and report to the automaker.
When logged in, the account granted access to over 1,000 of the carmaker’s dealers across the United States. Zveare also added, “No one even knows that you’re just silently looking at all of these dealers’ data, all their financials, all their private stuff, all their leads”.
What he found in the system was a national consumer lookup tool that allowed logged-in portal users to look up the vehicle and driver data of the carmaker.
For a better understanding of how the bug worked, Zveare took a vehicle’s unique identification number from the windshield of a car in a public parking lot and used the number in order to identify the car’s owner. Even more so, he also added that just a name was needed to look up someone.
After being granted access to the portal, he said that he had access to pair any vehicle to a mobile account, allowing customers to remotely control some of their car’s functions from an app, such as unlocking their cars.
He also tested his theory using a friend's account while having their consent. “For my purposes, I just got a friend who consented to me taking over their car, and I ran with that,” Zveare told TechCrunch. “But [the portal] could basically do that to anyone just by knowing their name, which kind of freaks me out a bit — or I could just look up a car in the parking lots.”.
He also added that he did not test whether or not he could drive away, but he said the exploit could be abused by thieves to break into the cars and steal items from them.
Zveare also said that the bugs took about a week to fix in February 2025, shortly after his disclosure to the carmaker. “The takeaway is that only two simple API vulnerabilities blasted the doors open, and it’s always related to authentication,” said Zveare. “If you’re going to get those wrong, then everything just falls down”
.webp)
.webp)
