A security researcher said that the defects in the agency’s online portal for the auto industry have revealed special information and vehicle data for its customers, and it could allow the infiltrators to storm any of its customers’ cars.
Etone Zveri, who works as a security researcher at the Software Delivery Delivery Company, told TECHRUNCH that the defect that he discovered allowed the establishment of an official account that gives “unrestricted access” to the central web portal of the auto industry company whose name has not been revealed.
Through this arrival, the harmful infiltrators could have seen the personal and financial data of the auto manufacturers, the tracking of vehicles, and the registration of customers in the features that allow the owners – or the infiltrators – to control some of their car jobs from anywhere.
Zvere said he was not planning to name the seller, but he said that it was a widely known car manufacturer with many famous sub -brands.
In an interview with Techcrunch before his speech at the Def Con Security Conference in Las Vegas on Sunday, Zveare said that the mistakes arise on the security of these agents’ systems, which give their employees and partners widely to customer and vehicle information.
Zvere, which found insects in Customer customer systems and Vehicle Management Systems Before, the defect was found earlier this year as part of the weekend project, he told Techcrunch.
He said that while the security defects in the portal login system were a challenge to find it, as soon as it was found, insects allowed him to completely overcome the entry login by allowing him to create a new “national official” account.
The defects were a problem because the icon of the carts that are drawn by the animal was loaded in the user’s browser when opening the login page for the portal, which allows the user – in this case, zvere – by adjusting the code to overcome the entry login safety tests. Zvere Techcrunch was told that the car maker had no evidence of the previous exploitation, indicating that he was the first to find it and report the car maker.
Upon logging, the account is given access to more than 1,000 car makers traders across the United States, he told Techcrunch.
In describing the arrival, Zveri said: “No one knows that you are silently looking at all the data of these merchants, all their financial data, all their own purposes, and all their strings,” in describing the arrival.
Zvere said that one of the things he found inside the agency gate was a national search tool to search for the portable users registered with the search for car data and car maker driver.
In one of the examples, Zveare took the unique definition number of the car’s windshield in the car park and used the number to determine the owner of the car. Zvere said that the tool can be used to find a person who uses the name of the first and last customer.
By reaching the gate, Zveare said it was also possible to associate any vehicle with a mobile phone account, allowing customers to control dimension in some of their car jobs from the application, such as opening their cars.
Zvere said he tried this in a real example using a friend account and his consent. In the transfer of ownership to an account controlled by Zveare, he said that the portal requires only ratification – a promise of pinky – that the user who transmits the account is legitimate.
“To cover me, I just got a friend who agreed to walk his car, and ran with that,” Zveare told Techcrunch. “But (the gate) can do so mainly for anyone only by knowing his name-which kind of horror for me a little-or I can search for a car in parking lots.”
Zvere said he did not test whether he could get away, but he said that exploitation could be abused by thieves to storm and steal the elements from vehicles, for example.
There was another major problem in accessing this auto maker’s portal that it was possible to access other agents systems related to the same portal through single login, a feature that allows users to log in to multiple systems or applications with only one set of login approved data. Zvere said that the car maker’s systems for all merchants are interconnected, so it is easy to jump from one system to another.
He said that with this, the portal also had a feature that allowed officials, such as the user account that he created, to “impersonating” other users, allowing effectively to access other agents systems as if that user was without the need to log in. Zvere said this was similar to a feature in the Toyota dealer portal Discover in 2023.
“It is just security nightmares awaiting their occurrence,” Zveri said, talking about the advantage of distinguishing users.
Once he reached the portal, Zveare found customer data that can be identified personally, some financial information, and TEEMATICS systems that allowed the site actual time to rent or courtesy cars, as well as cars that are shipped throughout the country, and the option to cancel it-although Zvere did not try.
Zvere said that the mistakes took about a week to fix them in February 2025 shortly after the car maker was disclosed.
Zvere said: “Just that only two weaknesses in the API programming interface (API) only have exploded open doors, and they are always linked to ratification,” Zvere said. “If you are making this error, everything just falls.”
https://techcrunch.com/wp-content/uploads/2025/08/car-remote-door-keyfob-1472299309.jpg?resize=1200,803
Source link