Security researchers said a flaw in the automaker's online dealer portal could have made it public with customer personal information and vehicle data, allowing hackers to remotely break into one of the customer's vehicles.
Eaton Zveare, a security researcher at software distribution company Harness, told TechCrunch that the flaws he discovered allowed him to create an administrator account that granted “free access” to Carmaker's centralized web portal, which had no name.
This access allowed malicious hackers to view personal and financial data from car manufacturer customers, track vehicles, and register their customers with features that allow the owner or hacker to control some of the car's features from anywhere.
Zveare said it would not name the vendor, but it was a widely known automaker with several popular sub-brands.
In an interview with TechCrunch ahead of his speech at the DEF Con Security Conference in Las Vegas on Sunday, Zveare said the bug will highlight the security of these dealer systems and give them extensive access to employee and customer information.
Zveare, who discovered a bug in the automaker's customer and fleet management systems, discovered the flaw earlier this year as part of a weekend project, he told TechCrunch.
He said that the security flaw in the portal's login system is difficult to find as he can completely divert the login mechanism by allowing him to create a new “national administrator” account after he finds it.
The flaw was an issue as the buggy code loaded into the user's browser when opening the portal login page allows the user (in this case ZVeare) to change the code and bypass the login security check. Zveare told TechCrunch that the carmaker had found no evidence of past exploitation, suggesting that he first found it and reported it to the carmaker.
Once logged in, the account granted access to more than 1,000 dealers from automakers across the United States, he told TechCrunch.
“No one knows that we're quietly looking at all the data, all the finances, all the private stuff, all the leads from these dealers,” Zveare explained about access.
Zveare said that one of the things he found within the dealer portal is a national consumer lookup tool that allows login portal users to search the car manufacturer's vehicle and driver data.
In one real example, Zveare obtained the vehicle's unique identification number from the windshield of a car in a public parking lot, and used that number to identify the vehicle's owner. Zveare said the tool can be used to search for someone using only the first and last name of a customer.
Zveare also said access to the portal allows you to pair your vehicle with your mobile account. This allows customers to remotely control some of their car's features from the app, such as unlocking the car.
Zveare said he used a friend's account to agree and tried this with a real-world example. When transferring ownership to an account managed by Zveare, he said the portal only requires proof (effectively Pinky's promise) that the user performing the account transfer is legal.
“For my purposes, I had a friend who agreed to take over their car, and I drove with it,” Zveare told TechCrunch. “but [the portal] Basically, you can do it to anyone just by knowing your name.
Zveare said he didn't test whether he could escape, but he said, for example, that it could be misused by burglars to break into and steal items from the vehicle.
Another important issue with access to this automaker's portal was the ability to access other dealer systems linked to the same portal via a single sign-on. This allows users to log in to multiple systems or applications with a set of login credentials. Zveare said that all the automaker systems for dealers are interconnected, making it easy to jump from one system to another.
This, he said, has the ability to allow administrators, such as user accounts, to “spoof” other users, to effectively allow access to other dealer systems as if they were those users without requiring login. Zveare said this is similar to the feature found in the Toyota dealer portal, which was discovered in 2023.
“They are security nightmares waiting for it to happen,” Zveare said of the user-in-memberization feature.
Once inside the portal, Zveare found the option to cancel, allowing for personally identifiable customer data, some financial information, and real-time location tracking of rental and courteous cars, as well as real-time location tracking of vehicles shipped nationwide, but Zveare did not attempt.
Zveare said the bug took about a week to fix it in February 2025, soon after its disclosure to the car manufacturer.
“Takeout means that two simple API vulnerabilities open the door and are always relevant to authentication,” Zveare said. “If you try to get them wrong, everything will just fall.”