API Flaws in Automaker Portal Expose Data, Enable Car Control

Critical vulnerabilities in a major automaker’s centralized dealership portal allowed unauthorized access to sensitive customer information and vehicle data. The flaws, discovered by Eaton Zveare, Senior Security Research Engineer, Harness, enabled remote control of key vehicle functions such as unlocking doors through platform manipulation.

The incident's root cause stemmed from deficient system authentication protocols. "The takeaway is that only two simple API vulnerabilities blasted the doors open, and it [is] always related to authentication," says Zveare to TechCrunch. "If you are going to get those wrong, then everything just falls down."

The incident highlights the inherent risks in the centralized digital ecosystems that the automotive industry has adopted to manage its dealership networks. These web portals act as a nexus for vast amounts of operational and customer information including personally identifiable information (PII), financial data, service histories, and vehicle data. The vulnerability did not affect an isolated system but the core infrastructure connecting more than 1,000 dealers in the United States, reports TechCrunch.

The architecture of these systems often relies on Single Sign-On (SSO) mechanisms. While SSO improves usability for employees, it also introduces a critical single point of failure. A compromised administrative account, like the one the researcher created, can trigger a cascade effect that allows lateral movement across interconnected systems. Zveare says that a feature for "impersonating" other users, similar to one found in a Toyota portal in 2023, aggravates the risk. He describes such features as "security nightmares waiting to happen."

A technical analysis of the vulnerability reveals the flaw was in the code loaded in the user's browser on the portal's login page. This allowed Zveare to modify the client-side code to bypass security controls and create a new "national admin" account. The automaker, which the researcher did not name, confirmed after an internal investigation that it found no evidence of prior exploitation. 

Once Zveare gained access, he documented several exposed capabilities. The administrator account allowed the viewing of dealer financial and operational data as well as customer information. A national search tool was identified that allowed locating a vehicle's owner using only the Vehicle Identification Number (VIN) or the customer's first and last name.

The portal also facilitated pairing any vehicle with a mobile account. This process could allow a malicious actor to take control of the car's remote functions, such as unlocking the doors. The system only required an attestation — a simple declaration that the user was authorized — to transfer the vehicle's digital ownership without robust verification.

Furthermore, SSO integration allowed access to other linked dealer systems from the main portal. The user impersonation feature permitted the administrator account to operate within these systems as if it were any other employee without needing their credentials. Portal access also compromised telematics systems. This enabled real-time location tracking of rental, courtesy, or in-transit vehicles, with an option to cancel those shipments.