Researcher Finds Major Dealer System Vulnerability
A security researcher has uncovered Security Flaws in a major carmaker’s online dealership portal.
These weaknesses could have allowed hackers to unlock cars remotely, track vehicles, and view private customer data.
Eaton Zveare, a researcher at software delivery company Harness, discovered the problem earlier this year. The automaker’s name remains undisclosed, but it is known to have several popular sub-brands.
How the Vulnerability Was Found
Zveare began the investigation as a weekend project. While testing the portal’s login page, he noticed buggy code loading in the browser.
This flaw allowed him to bypass normal login checks and create a new “national admin” account.
With that account, he had unlimited access to the dealership network — covering over 1,000 U.S. dealers.
“No one even knows you’re silently looking at all this data — financials, leads, private info,” said Zveare.
What Hackers Could Do
With admin access, an attacker could:
- View personal and financial data of customers.
- Track vehicles in real time using telematics systems.
- Access tools to look up any customer by name or vehicle ID number (VIN).
- Pair any vehicle to their own mobile account — enabling remote functions like unlocking the car.
- “Impersonate” other dealer accounts without needing their login details. For example, Zveare demonstrated this by taking a VIN from a parked car, then using the lookup tool to find its owner’s details.
Real-World Test
To prove the risk, Zveare asked a friend for permission to transfer their car’s mobile access to him. The system required only a self-attestation — essentially a digital pinky promise — to proceed.
With this, he could unlock the vehicle remotely. While he didn’t attempt to drive away, the flaw could let thieves steal items from cars with ease.
Why the Risk Was So High
The carmaker’s dealer systems are all interconnected through single sign-on (SSO). This means access to one portal often means access to many.
Zveare compared it to a Toyota dealer portal flaw found in 2023, where an impersonation feature created similar risks.
*Inside the system, he found:
*
- Personally identifiable customer data.
- Financial records.
- Real-time tracking of rental or courtesy vehicles.
- Options to cancel vehicle shipments.
Response and Fix
The vulnerabilities were reported to the carmaker in early 2025. The company fixed the issues within a week.
Zveare said only two simple API authentication flaws caused the massive security breach.
“If you get authentication wrong, everything else falls apart,” he warned.
Key Takeaways
- A major carmaker’s dealer portal had critical flaws allowing remote car unlocking and data access.
- Researcher created a national admin account using login bypass.
- Risks included tracking vehicles, stealing data, and impersonating dealers.
- Only two authentication bugs caused the breach.
- Fixes were implemented quickly after disclosure. This discovery highlights the urgent need for strong authentication and secure coding practices in the automotive industry’s connected systems.
Top comments (0)