Security flaws in a carmaker’s web portal let one hacker remotely unlock cars from anywhere

A recent discovery by a security expert has unveiled serious vulnerabilities within a well-known automaker's online dealership portal, potentially compromising customer data and vehicle security. Eaton Zveare, a security researcher at Harness, revealed that the flaws he identified could have permitted malicious actors to remotely access and manipulate customer vehicles. Zveare explained that the vulnerability allowed him to create an administrative account that provided unrestricted access to the automaker's centralized web portal. With this access, a hacker could potentially view sensitive personal and financial information of customers, track vehicles, and even enroll in features that enable remote control of car functions. Although Zveare chose not to disclose the identity of the automaker, he emphasized that it is a prominent company with several widely recognized sub-brands. In an interview with TechCrunch prior to his presentation at the Def Con security conference, Zveare expressed concern over the security implications of such dealership systems. These systems grant extensive access to both employees and associates, raising significant questions about data protection practices. Zveare discovered the vulnerabilities during a weekend project earlier this year, noting that while pinpointing the security flaws in the portal's login system was challenging, it ultimately allowed him to bypass the login entirely by creating a new 'national admin' account. The security flaws stemmed from buggy code that executed within the user's browser upon accessing the login page, allowing Zveare to alter the code and circumvent security checks. He reported that the automaker found no evidence of prior exploitation, indicating that he may have been the first to identify and report these issues. Once logged in, the account provided access to over 1,000 dealerships across the United States. Describing the level of access, Zveare noted, "No one even knows that you’re just silently looking at all of these dealers’ data, all their financials, all their private stuff, all their leads." Within the portal, he discovered a national consumer lookup tool that enabled users to retrieve vehicle and driver information using minimal data, such as a car's unique identification number or a customer’s name. Zveare demonstrated the potential misuse of the portal by successfully pairing a vehicle to a mobile account, allowing remote functionalities like unlocking doors. He emphasized the ease of this process, which only required a basic attestation of legitimacy, essentially a verbal confirmation. This vulnerability could theoretically allow unauthorized access to anyone’s vehicle data simply by knowing their name. Moreover, Zveare pointed out that the interconnected nature of the carmaker’s systems could lead to further security breaches. The portal featured a user-impersonation capability, enabling one user to access another's data without needing their credentials, a serious concern echoed in previous vulnerabilities identified in other dealer portals. Zveare concluded by stating that the flaws he uncovered were straightforward API vulnerabilities that exposed critical weaknesses in authentication protocols. He stressed the importance of robust security measures, noting, "If you’re going to get those wrong, then everything just falls down." The automaker has since addressed the vulnerabilities, with fixes implemented shortly after Zveare's disclosure in February 2025.