Vulnerability in automaker dealer portal

Security researcher Eaton Zveare has identified a serious flaw in a major automaker’s dealer portal that could enable hackers to unlock and start consumer vehicles remotely. This vulnerability, found in a centralized dealer software platform used by over 1,000 dealers in the U.S., exposes a backdoor into connected car services, allowing unauthorized control over remote start, door locks, and location tracking.

Vulnerability in automaker dealer portalVulnerability in automaker dealer portal

The platform, built on a Java backend with an AngularJS frontend and protected by two-factor authentication, was designed for managing sales orders and customer leads. Zveare's research revealed that hidden registration forms in the portal's HTML could be accessed by altering CSS properties, bypassing invite-token validation and allowing new user accounts to be created.

Vulnerability in automaker dealer portalVulnerability in automaker dealer portal

An attacker could exploit an API that only validated session identifiers, creating national administrator accounts with full dealer privileges. With these rights, they could access any dealer account and initiate a vehicle ownership transfer by entering the victim’s name or Vehicle Identification Number (VIN). The vehicle owner would only receive an automated email notification of the transfer, with no means to reverse it, allowing attackers to control the vehicle via the official mobile app.