Just Two Flaws in a Car Manufacturer’s Portal Allowed a Researcher to Unlock Cars and Expose Data
A vulnerability was discovered in the online access system for auto dealers of one of the world’s largest car manufacturers—uncovered simply by examining the page’s code. Security researcher Eitan Zwer of Harness reported that the flaw allowed him to create an administrative account with full privileges for the manufacturer’s internal portal. The breach exposed sensitive customer data, vehicle information, and even the ability to remotely control certain car functions—up to and including unlocking them.
Zwer, who had previously identified flaws in automotive systems, stumbled upon the issue by chance during a personal weekend project. He found that when the login page was loaded, the client’s browser fetched flawed code that could be altered to bypass all authentication mechanisms. This made it possible to create a “national administrator” account with access to more than a thousand dealership locations across the United States.
Through this interface, one could view customers’ personal details—including contact and partial financial information—as well as manage vehicle-linked services. These capabilities included real-time tracking of service and transport vehicles, use of telematics systems, and even the cancellation of vehicle shipments.
One of the most alarming features was the customer search tool, which required only a first and last name to retrieve detailed information about a specific car and its owner. As a proof of concept, Zwer used the VIN of a vehicle parked on the street and confirmed that it was enough to link the car to its owner. According to him, it was also possible to initiate a vehicle transfer to another user’s control—requiring only confirmation of intent, with no verification whatsoever. He tested this scenario with a friend’s consent and was able to take over another person’s car via the manufacturer’s mobile app.
Equally dangerous was the ability to access the systems of other dealerships using the same login. Thanks to a Single Sign-On (SSO) mechanism, the administrator account could move freely across different parts of the infrastructure and even impersonate other users. This allowed full access to another employee’s permissions, data, and systems without their knowledge—a vulnerability similar to one previously discovered in Toyota’s dealer portal.
Zwer described the system’s architecture as a “ticking time bomb,” stressing that it allowed users to discreetly view and exploit highly sensitive information, including deals, leads, and internal analytics. After privately disclosing the flaw in February 2025, the company patched it within a week. The investigation revealed no prior exploitation—Zwer appears to have been the first to discover and report the weaknesses.
According to Zwer, the root cause once again lay in the simplest of failures: broken API authentication. Just two vulnerabilities had unlocked the entire internal ecosystem of the dealership network. As he put it, “When access control collapses—everything collapses.”
