AT2k Design BBS Message Area
Casually read the BBS message area using an easy to use interface. Messages are categorized exactly like they are on the BBS. You may post new messages or reply to existing messages!

You are not logged in. Login here for full access privileges.

Previous Message | Next Message | Back to Slashdot  <--  <--- Return to Home Page
   Local Database  Slashdot   [184 / 191] RSS
 From   To   Subject   Date/Time 
Message   VRSS    All   Security Flaws In Carmaker's Web Portal Let a Hacker Remotely Un   August 17, 2025
 11:00 AM   

Feed: Slashdot
Feed Link: https://slashdot.org/
---

Title: Security Flaws In Carmaker's Web Portal Let a Hacker Remotely Unlock
Cars

Link: https://it.slashdot.org/story/25/08/17/022125...

Three years ago security researcher Eaton Zveare discovered a vulnerability
in Jacuzzi's SmartTub interface allowing access to the personal data of every
hot tub owner. Now Zverae says flaws in an unnamed carmaker's dealership
portal "exposed the private information and vehicle data of its customers,"
reports TechCrunch, "and could have allowed hackers to remotely break into
any of its customers' vehicles." Zveare, who works as a security researcher
at software delivery company Harness, told TechCrunch the flaw he discovered
allowed the creation of a ["national"] admin account that granted "unfettered
access" to the unnamed carmaker's centralized web portal. With this access, a
malicious hacker could have viewed the personal and financial data of the
carmaker's customers, tracked vehicles, and enrolled customers in features
that allow owners - or the hackers - to control some of their cars' functions
from anywhere. Zveare said he doesn't plan on naming the vendor, but said it
was a widely known automaker with several popular sub-brands. In an interview
with TechCrunch ahead of his talk at the Def Con security conference in Las
Vegas on Sunday, Zveare said the bugs put a spotlight on the security of
these dealership systems, which grant their employees and associates broad
access to customer and vehicle information... The flaws were problematic
because the buggy code loaded in the user's browser when opening the portal's
login page, allowing the user - in this case, Zveare - to modify the code to
bypass the login security checks. Zveare told TechCrunch that the carmaker
found no evidence of past exploitation, suggesting he was the first to find
it and report it to the carmaker. When logged in, the account granted access
to more than 1,000 of the carmakers' dealers across the United States, he
told TechCrunch... With access to the portal, Zveare said it was also
possible to pair any vehicle with a mobile account, which allows customers to
remotely control some of their cars' functions from an app, such as unlocking
their cars... "The takeaway is that only two simple API vulnerabilities
blasted the doors open, and it's always related to authentication," said
Zveare. "If you're going to get those wrong, then everything just falls
down." Zveare told TechCrunch the portals even included "telematics systems
that allowed the real-time location tracking of rental or courtesy cars...
"Zveare said the bugs took about a week to fix in February 2025 soon after
his disclosure to the carmaker." Thanks to long-time Slashdot reader schwit1
for sharing the article.

Read more of this story at Slashdot.

---
VRSS v2.1.180528
  Show ANSI Codes | Hide BBCodes | Show Color Codes | Hide Encoding | Hide HTML Tags | Show Routing
Previous Message | Next Message | Back to Slashdot  <--  <--- Return to Home Page
VADV-PHP
Execution Time: 0.015 seconds

If you experience any problems with this website or need help, contact the webmaster.
VADV-PHP Copyright © 2002-2025 Steve Winn, Aspect Technologies. All Rights Reserved.
Virtual Advanced Copyright © 1995-1997 Roland De Graaf.
 v2.1.250224