Flaws in automaker's portal could've let hackers control cars remotely
What's the story
A security researcher has flagged serious vulnerabilities in the web portal of a popular automaker. The flaws could have allowed hackers to remotely unlock and control customers' vehicles from anywhere, compromising sensitive customer data and vehicle information. The unnamed automaker has several well-known sub-brands, but the researcher, Eaton Zveare of software delivery firm Harness, did not reveal its name.
Portal flaws
Researcher found bug in dealer portal login system
Zveare discovered the vulnerabilities while exploring the dealer portal as a weekend project. He found a bug in the portal's login system that could be exploited by code loading directly in the browser on the login page. This allowed him to bypass security checks and create a "national admin" account with unrestricted access to over 1,000 dealers across America.
Security breach
Could track vehicles in real time, unlock cars remotely
With the admin access, Zveare could view sensitive customer and financial data, track vehicles in real time, and enroll users in connected features, allowing remote control of vehicle functions. This included unlocking cars. He even demonstrated this by pairing a friend's car with an account he controlled after getting their consent. The portal only required a simple attestation confirming the legitimacy of the account transfer to enable this feature.
Impersonation risk
Portal used SSO to connect multiple dealer systems
The portal also used single sign-on (SSO) to connect multiple dealer systems. Once logged in, Zveare could "impersonate" other users and access their portals without needing any of their credentials. He called this feature a "security nightmare," similar to another vulnerability he discovered in a Toyota dealer portal back in 2023.
Fix implemented
Vulnerabilities fixed after disclosure to automaker
After Zveare disclosed the vulnerabilities, the automaker fixed them within about a week in February 2025. He summed up the risk by saying, "Only two simple API vulnerabilities blasted the doors open, and it's always related to authentication. If you're going to get those wrong, then everything just falls down." This case highlights serious security risks in dealership portals that grant broad access to sensitive data and vehicle controls.