| | | |

Critical Security Flaw in Carmaker Portal Allows Hackers to Remotely Unlock Vehicles

ByAdmin

A severe flaw in a major automaker’s dealer portal has allowed unauthorized attackers to register for dealer accounts, escalate privileges to a national administrator, and ultimately control vehicles remotely. The vulnerability resides in the portal’s Java/SAP backend and AngularJS frontend, where hidden registration forms could be exposed and abused. Security researcher Eaton Zveare discovered that attackers exploited a hidden HTML registration form intended to remain invisible until a valid invite token was supplied. By forcing the form to display via Chrome DevTools and omitting the Invite_Token parameter on the POST request, attackers bypassed server-side token validation entirely. This critical API endpoint accepted blank tokens, granting rogue users the ability to enroll as dealer employees. Once registered, attackers found that normal login did not create a usable session, but invoking the profile update API established a valid JSESSIONID cookie, enabling further exploitation.

With elevated access, Zveare accessed the dealer SSO management system and leveraged the “Portal Login As Dealer” impersonation feature. By substituting the SSO_SYS_ID parameter in the SSO URL, he pivoted into previously inaccessible sub-brand dealer portals. This chain of exploits culminated in accessing the vehicle enrollment API, which supports pairing customer accounts to a Vehicle Identification Number (VIN). After transferring ownership to his test account, Zveare used the official mobile app to send remote unlock and start commands, confirming full control over the vehicles. Victims received automated email alerts but lacked any ability to reverse the silent takeover. The flaw affects all vehicles from the 2012 model year onward equipped with standard telematics modules. Automakers are urged to apply immediate patches to enforce server-side invite token validation, tighten session management for JSESSIONID cookies, and implement least-privilege checks on all administrative APIs. 

Categories: Cybersecurity Vulnerabilities, Remote Vehicle Control, Privilege Escalation 

Tags: Automaker, Dealer Portal, Unauthorized Access, Privilege Escalation, Remote Control, Vulnerability, Registration Form, JSESSIONID, API Exploitation, Telematics 

Similar Posts

Weekly Cybersecurity News Roundup: Key Security Updates from Microsoft, Cisco, and Fortinet, Plus Recent Cyber Attack Insights Stay informed with our latest weekly recap of cybersecurity news, featuring essential security updates from industry leaders Microsoft, Cisco, and Fortinet. We also delve into recent cyber attacks, providing insights into emerging threats and vulnerabilities. Don’t miss out on crucial information that can help safeguard your digital assets!

Leave a Reply

Your email address will not be published. Required fields are marked *