Security flaws in a carmaker’s web portal let one hacker remotely unlock cars from anywhere

A security researcher, Eaton Zveare from Harness, discovered critical security flaws in a major carmaker’s online dealership portal that exposed private customer information and vehicle data. The vulnerabilities allowed the creation of an unauthorized “national admin” account, granting full access to the centralized portal used by over 1,000 dealers across the U.S. This access enabled a hacker to view sensitive personal and financial data, track vehicles, and enroll customers in features that remotely control car functions, such as unlocking doors via a mobile app. The flaws stemmed from buggy code loaded in users’ browsers on the login page, which Zveare exploited to bypass authentication entirely. Zveare demonstrated how the portal’s national consumer lookup tool could identify vehicle owners using minimal information, such as a vehicle identification number seen in public or just a customer’s name. He also showed that transferring vehicle control to a different mobile account required only a simple attestation, making unauthorized takeovers feasible. Although he did not test driving the vehicles,