One security researcher said the defects on the electronic dealership portal of an automotive industry exposed the private information of its customers ‘information and vehicles and could allow hackers to enter any of its customers’ vehicles.
Eaton Zveare, who works as a security researcher at the software delivery company, told TechCrunch that the defect he discovered allowed the creation of an administrator account that “unlimited access” to the UNAMPED CARMAKER Web Central Gate.
With this access, a malicious hacker could have seen the personal and financial data of automotive customers, monitor vehicles and register customers in features that allow owners – or hackers – to check some of their car functions from anywhere.
Zveare said he was not planning to name the seller, but said he was a widely known car industry with several popular sub-brakes.
In an interview with TechCrunch before his discussion at the Def Con Security Conference in Las Vegas on Sunday, Zveare said the errors have put the focus of the security of these dealership systems, which are granted to their employees and linking wide access to customer information.
Zveare, who found errors Car customer systems and Vehicle Management Systems Before, he found the defect earlier this year as part of a weekend project, he told TechCrunch.
He said that while the security defects in the portal connection system was a challenge to find himself, as soon as he found it, the errors let him bypass the connection mechanism as a whole by allowing him to create a new “national manager” account.
The defects were problematic because the Buggy code was loaded on the user’s browser when opening the gate connection page, allowing the user – in this case, zveare – to modify the code to bypass the login checks. Zveare told TechCrunch that the automotive industry had found no information on the previous exploitation, suggesting that he was the first to find it and reports it in the automotive industry.
When logged in, the account issued access to more than 1,000 of car representatives in all the United States, he told TechCrunch.
“No one even knows that you are just looking silently at all these dealers’ data, all their finances, all their private things, all their pencils,” Zveare said, describing access.
Zveare said that one of the things he found inside the dealership gate was a national consumer search tool that allowed users associated with registered gates to search for vehicle and driver’s driver’s data.
In a real example, Zveare received the unique vehicle identification number from the windshield of a car in a public parking lot and used the number to identify the car owner. Zveare said the tool could be used to search for someone who only uses the first and last name of the customer.
With access to the gate, Zveare said it was also possible to combine any vehicle with a mobile account, which allows customers to remotely control some of their car functions from an application, such as unlocking their cars.
Zveare said he tried it in a real example using a friend’s account and their consent. By transferring property to an account controlled by Zveare, he said that the gate requires only one certainty – essentially a pinky promise – that the user who executes the account transfer is legal.
“For my purposes, I just got a friend who agreed to take over his car and ran with it,” Zveare told TechCrunch. “But [the portal] He could actually do this to anyone only knowing his name-his kind of fooling me a little or I could just look at a car in parking. ”
Zveare said he did not consider whether he could be removed, but said that the exploitation could be abused by thieves to enter and steal objects from vehicles, for example.
Another key problem with access to the gateway to this automotive industry was that it was possible to access the systems of other representatives associated with the same gate through a single connection, a feature that allows users to connect to multiple systems or applications with only one set of connectors. Zveare said car systems for delegates are all interconnected, so it is easy to jump from one system to another.
With that, he said, the gate also had a feature that allowed managers, such as the user account it created, to “mimic” other users, effectively allowing access to other dealers as if they were the user without the need for their connections. Zveare said this was similar to a feature found on a toyota dealer gate Discovered in 2023.
“They are just security nightmares waiting to happen,” Zveare said, talking about the user’s feature.
Once at the Zveare gate, he found personal recognizable customer data, some financial information and telematics systems that allowed real-time monitoring of rental or courtesy cars, as well as cars sent across the country and the choice to cancel them-if Zveare did not.
Zveare said the errors took about a week to be corrected in February 2025 shortly after its disclosure in the automotive industry.
“The takeaway is that only two simple API vulnerabilities threw the doors open and is always related to authentication,” Zveare said. “If you are going to take these mistake then everything falls.”
