A recent revelation by security researcher Eaton Zveare has unveiled serious vulnerabilities within a prominent carmaker’s online dealership portal. These flaws not only jeopardized the private information and vehicle data of customers but also posed a significant risk by potentially allowing hackers to remotely access and control vehicles.
Zveare, who is affiliated with software delivery company Harness, shared his findings with TechCrunch ahead of his presentation at the Def Con security conference in Las Vegas. He highlighted a critical flaw that enabled the creation of an admin account, granting “unfettered access” to the carmaker’s centralized web portal. This access could have allowed malicious actors to view sensitive personal and financial data, track vehicles, and enroll themselves or customers in functionalities that facilitate remote control of vehicle functions.
While Zveare chose not to disclose the name of the automaker, he described it as a widely recognized brand with several popular sub-brands. He emphasized the importance of acknowledging the security risks associated with dealership systems, which often provide extensive access to customer and vehicle information.
During a weekend project earlier this year, Zveare discovered the vulnerability in the portal’s login system. Although identifying the flaw was challenging, he ultimately managed to bypass the login mechanism entirely by creating a new “national admin” account. The problematic code loaded in the user’s browser upon accessing the portal’s login page, allowing Zveare to modify it and circumvent the security checks.
Upon gaining access, Zveare found that the account allowed visibility into data from over 1,000 dealerships across the United States. “No one even knows that you’re just silently looking at all of these dealers’ data, all their financials, all their private stuff, all their leads,” Zveare explained, underscoring the gravity of the situation.
Inside the dealership portal, Zveare discovered a national consumer lookup tool that enabled logged-in users to access vehicle and driver data. In a practical demonstration, he used a vehicle’s unique identification number (VIN) from a parked car to identify the owner. This tool could be exploited to look up personal information using just a customer’s name, raising significant privacy concerns.
Additionally, Zveare noted that it was possible to link any vehicle with a mobile account, granting customers remote control over certain functionalities of their cars via an app, such as unlocking their vehicles. He tested this capability with a friend's consent and found that the portal only required a simple attestation to transfer vehicle ownership to an account under his control. “The portal could basically do that to anyone just by knowing their name,” he remarked, highlighting a serious security vulnerability.
Another alarming aspect of the carmaker’s portal was the ability to access various dealer systems through a single sign-on feature. This interconnectedness facilitated easy navigation between systems, heightening the risk of unauthorized access. Zveare pointed out that the portal allowed admin accounts to “impersonate” other users, effectively bypassing login requirements and gaining access to additional dealer systems.
This impersonation feature was reminiscent of vulnerabilities found in a Toyota dealer portal discovered earlier in 2023, which Zveare described as “security nightmares waiting to happen.” Once inside the portal, Zveare encountered personally identifiable customer data, financial records, and telematics systems capable of real-time location tracking for rental or courtesy vehicles.
Following Zveare’s disclosure of the vulnerabilities, the carmaker addressed the issues within a week in February 2025. He concluded that the root of the problem lay in two simple API vulnerabilities, emphasizing that inadequate authentication protocols could lead to catastrophic security failures. “If you’re going to get those wrong, then everything just falls down,” Zveare warned.
This incident serves as a critical reminder of the importance of robust security measures in online dealership portals to protect customer data and vehicle integrity. As the automotive industry increasingly relies on digital solutions, the need for stringent security practices is more essential than ever.
