Security researcher Eaton Zveare unveiled a critical flaw in a major automaker’s dealer portal that could allow attackers to unlock and start consumer vehicles from anywhere.
The vulnerability, discovered in an obscure centralized dealer software platform used by over 1,000 dealers across the United States, exposes a direct backdoor into connected car services, enabling unauthorized control of remote start, door locks, and location tracking.
The susceptible platform—built on a Java backend with an AngularJS frontend and protected by two-factor authentication—was intended to manage sales orders, customer leads, and vehicle enrollments.
Zveare’s research demonstrated that hidden registration forms embedded in the portal’s HTML could be exposed simply by altering CSS properties, bypassing invite-token validation and granting new user account creation privileges.
From there, an attacker could leverage an API that validated only session identifiers rather than user roles, forging national administrator accounts with full dealer-level privileges.
Once endowed with national admin rights, the attacker can choose any dealer account and navigate to the portal’s consumer enrollment interface.
A three-step process—entering a victim’s name or Vehicle Identification Number (VIN), inputting odometer readings and driving habits, and confirming basic account details—triggers an ownership transfer of the target vehicle.
The unsuspecting owner receives only an automated email notification of the transfer, without any actionable information to reverse it. Attackers can then control the vehicle via the official mobile app.
Zveare underscored that this issue affects all vehicles equipped with the automaker’s standard telematics module dating back to model year 2012.
“You only need the target’s first and last name or VIN, which can be scraped in seconds from a parking lot,” he warned.
“This is a silent takeover—no malicious emails, no phishing. Dealers were trusted as the last mile for enrollment, and that trust becomes the exploit.”
Further compounding the risk, Zveare revealed that an equally powerful user-impersonation feature within the portal could be abused to pivot across sub-brands and regional dealer systems, bypassing session isolation controls and two-factor authentication entirely.
By manipulating SSO system identifiers, an attacker with national admin credentials can gain entry to subsidiary platforms, amplifying the potential scope of compromise.
The automaker, informed in early February, acknowledged the vulnerability and implemented backend patches to validate user roles on all API endpoints.
The company confirmed completion of fixes and invited Zveare to verify remediation efforts prior to the public disclosure.
Customers have been notified to monitor their account activity and change their portal credentials as an added precaution.
This incident highlights the profound risks posed by overprivileged enterprise applications and underscores the importance of zero-trust validation for every API call.
As vehicle connectivity continues to deepen, the attack surface expands beyond traditional infotainment and mobile apps to include dealer and service portals.
Security experts urge automakers and tier-one suppliers to conduct comprehensive penetration tests, apply least-privilege principles, and continuously audit access controls to prevent similar high-impact breaches.
Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!
Source link
