Security Researcher Discovers Wide-Ranging Data Breach in Unnamed Car Manufacturer’s Portal, Allowing Potential Remote Vehicle Hacks
A security researcher has disclosed a significant vulnerability in an unnamed automaker’s online dealership portal, potentially exposing the private information and vehicle data of its customers. The flaw could have enabled remote access to any customer’s vehicle by malicious hackers.
The researcher, Eaton Zveare from software delivery company Harness, explained that the discovered vulnerability permitted the creation of an admin account with unrestricted access to the carmaker’s centralized web portal. This unauthorized access could have allowed hackers to view customers’ personal and financial data, track vehicles, and enroll them in features permitting control over certain vehicle functions from anywhere.
Zveare plans not to disclose the vendor’s identity but revealed that it is a well-known automaker with several popular sub-brands. In an interview ahead of his talk at the Def Con security conference in Las Vegas, Zveare highlighted the importance of securing these dealership systems, which provide broad access to customer and vehicle information for their employees and associates.
Zveare has previously identified bugs in carmakers’ customer systems and vehicle management systems. He discovered this particular flaw earlier this year as part of a weekend project, he told us. The challenge lay in finding the security flaws within the portal’s login system, but once found, the bugs allowed Zveare to bypass the login mechanism entirely by creating a new “national admin” account.
The vulnerabilities were problematic because the flawed code was loaded in the user’s browser upon opening the portal’s login page, enabling the user (in this case, Zveare) to modify the code and bypass login security checks. The carmaker reported no evidence of past exploitation, suggesting that Zveare was the first to discover and report it.
Upon logging in, the account granted access to more than 1,000 dealers across the United States, as revealed by Zveare. He found a national consumer lookup tool within the dealership portal that allowed logged-in users to search for vehicle and driver data associated with that carmaker.
In one practical application, Zveare used a vehicle’s unique identification number from a car in a public parking lot to identify its owner. The tool could potentially be utilized to look up someone using only their first and last name. With access to the portal, Zveare was also able to pair any vehicle with a mobile account, allowing remote control of certain car functions from an app such as unlocking cars.
Zveare tested this functionality in a real-world example using a friend’s account and with their consent. By transferring ownership to an account controlled by Zveare, he found that the portal only required an attestation (essentially a verbal promise) from the user performing the account transfer, raising concerns about potential abuse of the feature.
Though Zveare did not test whether he could drive away, he expressed concern that the exploit could be misused by thieves to gain access to and steal items from vehicles. Another issue with accessing this carmaker’s portal was the ability to access other dealers’ systems linked through single sign-on, a feature allowing users to log into multiple systems or applications with a single set of login credentials. The carmaker’s dealer systems are interconnected, making it easy for hackers to jump from one system to another.
The portal also had a user-impersonation feature that allowed admins (such as the account created by Zveare) to “impersonate” other users, effectively granting access to other dealer systems without needing their logins. This feature was similar to one found in a Toyota dealer portal discovered in 2023.
“These user-impersonation features are security nightmares waiting to happen,” said Zveare, expressing his concerns.
Upon gaining access to the portal, Zveare located personally identifiable customer data, some financial information, and telematics systems that enabled real-time location tracking of rental or courtesy cars as well as cars being shipped across the country, with the option to cancel them (though he did not attempt it).
The bugs were promptly fixed within a week in February 2025 following Zveare’s disclosure to the carmaker. “The takeaway is that only two simple API vulnerabilities blasted the doors open, and if you get authentication wrong, everything just falls down,” said Zveare.
