Our very own Eaton Zveare, a security researcher at Harness, is behind an important discovery. For his second stunt, he found one glaring vulnerability on the centralized web portal of an unnamed car manufacturer. This defect would allow anyone, including malicious actors, to obtain sensitive information without any constraints. Its impact is felt by those 1,000+ dealerships nationwide.
Zveare’s investigation revealed that he could create an admin account within the carmaker’s portal, which provided him with comprehensive access to critical dealer data. This alarming discovery highlights substantial weaknesses in the carmaker’s online security measures and raises concerns about potential exploitation by malicious actors.
The researcher started by identifying a vehicle’s unique vehicle identification number (VIN) through its windshield. This was especially huge because this effort kicked off vulnerability testing in a public parking lot. Using that number he was able to follow it back to the vehicle’s owner. This was a shocking illustration of just how easy it is to obtain personal information. Zveare reminded that two trivial API vulnerabilities resulted in a huge breach. As he pointed out, these vulnerabilities always come down to an authentication problem.
Zveare underscored the seriousness of the issue, explaining what it would mean to have this kind of vulnerability. “They’re security nightmares just waiting to happen,” he cautioned. He pointed out how lax security procedures could be dangerous not only for the automaker but for its consumers.
Zveare responsibly recognized the potential danger of this flaw and quickly reported it to TechCrunch. To make sure the tech community started paying attention to the issue from the beginning. He especially touted his prowess for being able to access sensitive data without anyone ever finding out. Unfortunately, many dealers and customers alike are completely unaware of just how exposed their data really is. You secretly take note of every dealer’s metrics. You review their financials, sensitive private information and leads right under their nose without them even knowing.
This event brings attention to the ongoing challenges regarding cybersecurity in the automotive sector. As the number of vehicles in the internet of things rises, so does the threat of a potentially disastrous cyberattack. One weakness in one corner of the system can set off ripple effects across the country. This affects manufacturers and the millions of Americans who rely on these vehicles for their day-to-day transportation needs.
Eaton Zveare’s findings serve as a powerful reminder of how critical it is for companies to put cybersecurity first. Especially in this moment, when online platforms are increasingly essential for all commerce, these protections are urgently needed. To safeguard sensitive data, manufacturers must use best security practices and routinely test their defenses to uncover weaknesses in their systems.