Hackers Bypass BMW Defenses Through Subdomain Vulnerability

Cybernews specialists identified two BMW subdomains vulnerable to an exploit allowing malicious actors to redirect users to harmful websites. This vulnerability, named SAP Redirect, affected SAP NetWeaver Application Server Java web servers, enabling the creation of counterfeit links to malicious sites through BMW subdomains.

The SAP Redirect vulnerability allows a cybercriminal to forge a redirect link by inserting a string into the subdomains:

sap/public/bc/icf/logoff?redirecturl=https://maliciouswebsite[.]com

The final URL would appear as:

https://<…>.bmw.com/sap/public/bc/icf/logoff?redirecturl=https://maliciouswebsite[.]com

Two vulnerable BMW subsystems were used to access internal BMW dealer systems. Exploiting this flaw could lead to targeted phishing or the spread of malware. The vulnerability allowed attackers to redirect users to a malicious site or inject arbitrary content onto a legitimate site by manipulating the URL parameters of the affected SAP system.

Although not critical, the error opens up numerous opportunities for phishers targeting company employees or customers. For example, an email could be sent pretending to be from management, requesting some action. If a user opens the link and enters their credentials, attackers could gain access to systems for spreading ransomware or other malicious purposes. The vulnerability could also be used for mass phishing campaigns targeting customers.

Attackers could exploit the flaw to steal credentials or disseminate malware among unsuspecting users. When a victim clicks on what appears to be a legitimate link, they are redirected to the attacker’s site. At this point, malicious JavaScript is executed in the client’s browser, or the user is prompted to enter confidential information.

Upon discovering the vulnerability, Cybernews researchers reported it to BMW, and it was promptly rectified. It’s noted that the resolved vulnerability did not compromise systems associated with the BMW Group, nor was there any data leakage or improper use of any data. A BMW representative assured that information security is a priority for the BMW Group. The company states that BMW Group employs multi-level security controls for accessing internal systems.

To prevent vulnerabilities like SAP Redirect, Cybernews recommends applying SAP patches, adhering to secure coding practices, and regularly conducting security assessments to identify and prevent vulnerabilities. Users should also be cautious when clicking on links, even if the domain looks legitimate.