Redazione RHC : 12 August 2025 22:10
A vulnerability was discovered in the online dealership login system of one of the world’s largest automakers—all it took was a little digging into the page’s code. Security researcher Eaton Zwer of Harness reported that he managed to exploit the vulnerability to create an administrative account with full access to the manufacturer’s internal portal. The breach allowed them to obtain sensitive customer data, vehicle information, and even remotely control car functions, including unlocking.
Zwer, who had previously identified bugs in car manufacturer systems, accidentally discovered the issue during a personal project over the weekend. He discovered that upon loading the login page, the customer’s browser loaded incorrect code that could be modified to bypass all authentication mechanisms. This allowed the creation of a “national administrator” account that provided access to more than 1,000 dealerships in the United States.
Through this interface, it was possible to view customers’ personal data, including contact information and some financial data, as well as manage vehicle services. Among other things, this included real-time tracking of company and transported vehicles, the use of telematics systems, and even the cancellation of vehicle shipments.
One of the most disturbing elements of the system was the customer lookup tool, which only required a first and last name to access information about a specific car and its owner. Zver used the VIN of a car parked on the street as an example and confirmed that this was sufficient to associate the car with a specific person. According to him, it was possible to initiate the process of transferring the car to another user simply by confirming the intent, without any verification. He tested this scenario with the consent of a friend and managed to effectively control another person’s car using a mobile app.
Equally dangerous was being able to access other dealerships’ connected systems with a single login. Thanks to the SSO (single sign-on) mechanism, the created administrator account could not only move between different parts of the infrastructure but also mimic another user’s login. This allowed access to the targeted employee’s rights, data, and systems without their knowledge; A similar mechanism had previously been used on the dealer portal.
The researcher called the architecture a “time bomb,” noting that users could view and use critical information, such as offers, leads, and internal analytics, without being detected. The company reportedly fixed the vulnerability within a week of privately disclosing the issue in February 2025. However, further investigation showed that the exploit had never been used before: Zver was the first to discover and report the flaws in the system.
According to Zver, the root of the problem was, once again, something trivial: flaws in the API authentication system. Just two vulnerabilities exposed the entire internal world of the dealer network. Zver believes this is a further reminder: as soon as access control collapses, everything collapses.
Redazione