Eaton Zveare - a security expert at software company Harness - has just discovered a serious vulnerability in the dealership portal of a car manufacturer, which exposed personal data and customer vehicle information, and could allow hackers to remotely control the car, according to Techcrunch.
Eaton Zveare said the vulnerability allows the creation of an administrative account with unlimited access to the automaker's centralized web system. Bad guys can view personal and financial data, track vehicle location, and even activate remote control features such as unlocking.
Zveare discovered the error earlier this year in a personal project. Although it is difficult to find, once exploited, this error allows the full registration step to create a national administrative account. The reason is that the error code was loaded immediately upon opening the login page, allowing editing to pass the authentication mechanism. Although the automaker was not named for security reasons, the company said that there were no signs of a vulnerability being exploited before.
With access, Zveare can access data from more than 1,000 dealers in the US, looking up vehicle and owner information with just a name or VIN. This expert experimented on a friend's car and found that the system only required oral confirmation to transfer account ownership.
The portal also allows for a one-time login to access the system of other agents, and has the ability to impersonate another user without a password. This is similar to the defect that was discovered on Toyota's system in 2023.
Inside the system, Zveare finds identification data, some financial information, the ability to track the real-time location of the rental vehicle, a service vehicle or a vehicle being transported, and even the option to cancel the transportation order.
Currently, the automaker has fixed the error when receiving the report in February 2025. Zveare warns: Just two simple API vulnerabilities are enough to break down security doors.
