A security researcher has revealed critical vulnerabilities in the web portal of a well-known carmaker that could have allowed hackers to remotely unlock and control customers’ vehicles from anywhere. The flaws exposed private customer data and vehicle information, and offered a backdoor into the company’s entire dealer network.
Eaton Zveare, a security researcher at software delivery firm Harness, discovered the weaknesses earlier this year while exploring the dealer portal as a weekend project. The unnamed carmaker has several popular sub-brands, though Zveare declined to disclose the name.
Zveare explained that the main issue was a bug in the portal’s login system. By exploiting code that loaded directly in the browser on the login page, he was able to bypass security checks and create a “national admin” account with unrestricted access to the portal. This gave him control over more than 1,000 dealers across the United States.
With this admin access, Zveare could view sensitive customer and financial data, track vehicles in real time, and enroll users in connected features that allow remote control of vehicle functions, including unlocking the car.
One alarming example Zveare shared involved using a vehicle’s identification number visible through the windshield in a public parking lot to trace the owner’s personal details via the portal. The system also allowed searches by customer name alone, meaning it could be used to identify vehicle owners with minimal information.
Zveare tested the remote control feature with a friend’s consent, successfully pairing the friend’s car with an account he controlled, enabling remote unlocking. The portal required only a simple attestation confirming the legitimacy of the account transfer, a weak safeguard that could be easily exploited by malicious actors.
Though he did not test driving the vehicle, Zveare warned thieves could abuse these flaws to break into cars or steal valuables.
Further compounding the risk, the portal used single sign-on (SSO) to link multiple dealer systems. Once logged in, Zveare was able to “impersonate” other users, gaining access to other dealer portals without needing their credentials. He called this feature a “security nightmare,” echoing a similar flaw he found in a Toyota dealer portal in 2023.
Inside the portal, Zveare found personally identifiable customer information, financial records, and telematics data, including real-time tracking of rental or courtesy vehicles and those being shipped nationwide. Although the portal included an option to cancel shipments, Zveare did not attempt to use this feature.
Following his disclosure, the carmaker patched the vulnerabilities within about a week in February 2025.
Zveare summed up the risk bluntly: “Only two simple API vulnerabilities blasted the doors open, and it’s always related to authentication. If you’re going to get those wrong, then everything just falls down.”
This case highlights serious security risks in dealership portals that grant broad access to sensitive data and vehicle controls. It underscores the need for stronger authentication and tighter access controls to prevent potentially devastating exploits.
Discover the latest Business News, Sensex, and Nifty updates. Obtain Personal Finance insights, tax queries, and expert opinions on Moneycontrol or download the Moneycontrol App to stay updated!
