Redazione RHC : 12 August 2025 21:42
A vulnerability has been discovered in the online login system for dealerships at one of the world’s largest car manufacturers: all it took was a little digging into the page’s code. Security researcher Eaton Zwer of Harness reported that he managed to exploit the vulnerability to create an administrative account with full access rights to the manufacturer’s internal portal. The breach allowed them to obtain confidential customer data, vehicle information, and even remotely control car functions, including unlocking.
Zwer, who had previously identified bugs in automaker systems, discovered the issue by accident during a personal project over the weekend. He discovered that when the login page loaded, the customer’s browser loaded incorrect code that could be modified to bypass all authentication mechanisms. This made it possible to create a “national administrator” account that gave access to over 1,000 dealerships across the United States.
Through this interface, it was possible to view customers’ personal data, including contact information and some financial information, as well as manage vehicle services. Among other things, this included real-time tracking of company and transported vehicles, using telematics systems, and even canceling vehicle shipments.
One of the most disturbing elements of the system was the customer search tool, which required only a first and last name to access information about a specific car and its owner. Zver used the VIN of a car parked on the street as an example and confirmed that this was sufficient to associate the car with a specific person. According to him, it was possible to initiate the process of transferring the car to another user’s control simply by confirming one’s intention, without any verification. He tested this scenario with the consent of a friend and was able to effectively control someone else’s car via a mobile app.
Equally dangerous was the ability to access the connected systems of other dealerships using a single login. Thanks to the SSO (Single Sign-On) mechanism, the created administrator account could not only move between different parts of the infrastructure but also imitate another user’s login. This allowed access to the targeted employee’s rights, data, and systems without their knowledge—a similar mechanism had previously been used in the dealer portal.
The researcher called the architecture a “ticking time bomb,” noting that users could view and use critical information, including deals, leads, and internal analytics, without being detected. The company reportedly fixed the vulnerability within a week of privately disclosing the issue in February 2025. However, an investigation showed that the exploit had never been used before: Zver was the first to discover and report the flaws in the system.
According to Zver, the root of the problem was once again something trivial: flaws in the API authentication system. Just two vulnerabilities exposed the entire internal world of the dealer network. Zver believes this is a further reminder: as soon as access control collapses, everything collapses.
Redazione