Adam Bannister
07 February 2023 at 17:34 UTC
Updated: 07 February 2023 at 17:38 UTC
Hacker praises carmaker’s prompt response to the (mercifully) good-faith pwnage
A security researcher said he hacked into Toyota’s supplier management network and was able to access sensitive data associated with around 3,000 suppliers and 14,000 users worldwide.
Eaton Zveare compromised a web application used by Toyota employees and suppliers to coordinate projects, and containing details about parts, surveys, and purchases. Notable partners and suppliers found on the system included Michelin, Continental, and Stanley Black & Decker.
The researcher ultimately gained access to the Japanese carmaker’s Global Supplier Preparation Information Management System (GSPIMS) as a system administrator via a backdoor in the login mechanism.
RELATED Car companies massively exposed to web vulnerabilities
A malicious breach could have exposed comments made by Toyota employees about suppliers and supplier rankings by risk and other variables, said Zveare.
Zveare described the security hole, which Toyota patched quickly, as “one of the most severe vulnerabilities I have ever found”.
Return true;
The path to exploit began by patching the JavaScript code in GSPIMS, an Angular, single-page application created by SHI International Corp on behalf of Toyota.
“Developers control access to Angular routes/pages by implementing CanActivate and CanActivateChild,” said Zveare in a blog post published yesterday (February 6). “Basically, when a user attempts to navigate to a route/page, you would determine if they are allowed to view it, and then return true or false. By patching both to return true, you can usually fully unlock an Angular app.”
He added: “The logout code also needed to be removed to prevent a redirect back to the login page. With those patches applied, the app loads and can be browsed.”
Zveare, who has previously pwned Jacuzzi’s SmartTub app, then leveraged the backdoor via a HTTP request, which surrendered a JSON Web Token with an email, but no password, provided.
The API was used for an ‘Act As’ feature that allowed high privileged users to log in as any global user.
Finding a valid email only required a little Googling of Toyota personnel, since Toyota used a predictable format in North America (firstname.lastname@toyota.com).
Total, global control
Initially logged in as a user with a ‘Mgmt – Purchasing’ role, Zveare eventually made it to SysAdmin after finding a rolePrivileges node in the user/details API response, then a findByEmail API endpoint that detailed a user’s managers.
Based on the additional tabs that appeared within the application, it was clear that “with a System Admin JWT, I basically had total, global control over the entire system”, said Zveare.
DON’T MISS Tesla tackles CORS misconfigurations that left internal networks vulnerable
Therefore an attacker could have deleted, modified or leaked data, and abused the data to craft spear phishing campaigns.
Threat actors could have also “added their own user account with an elevated role, to retain access should the issue ever be discovered and fixed”, suggested Zveare.
Bounty recommendation
The researcher alerted Toyota to the backdoor on November 3, 2022, and the carmaker responded the same day, before confirming on November 23 that the issue had been fixed.
Toyota and SHI fixed the issue by making the createJWT and endpoints return ‘HTTP status 400 – Bad Request’ in all cases.
“I was glad Toyota recognized the severity of the issue and quickly fixed it,” told The Daily Swig. “Toyota is a huge corporation and it seems like their security team is set up to efficiently address vulnerabilities across all aspects of the company.
“A bounty payment would have been nice, but they did not offer one in this case. I hope they will consider changing this in the future. Recognition is always appreciated, but offering rewards is how you attract top talent and keep exploits off the black market.”
The Daily Swig has invited Toyota to comment – no response yet but we will update the artice if and when they do so.
RECOMMENDED Researcher drops Lexmark RCE zero-day rather than sell vuln ‘for peanuts’