A security researcher discovered vulnerabilities in a carmaker’s online dealership portal that could have exposed customer data and vehicle information, allowing hackers to potentially break into vehicles remotely. Eaton Zveare, a security researcher at Harness, revealed that he found a flaw enabling the creation of an admin account with unrestricted access to the carmaker’s centralized web portal. This access could let malicious hackers view personal and financial data, track vehicles, and control certain car functions remotely. Zveare chose not to name the carmaker, describing it as a well-known brand with multiple sub-brands.
In an interview with TechCrunch, Zveare highlighted the security issues in dealership systems, which allow staff wide access to customer and vehicle information. Previously finding vulnerabilities in carmakers’ customer and vehicle management systems, Zveare uncovered this flaw during a weekend project. Once discovered, he could bypass the login mechanism by creating a “national admin” account. The vulnerabilities were in the portal’s login system, allowing a user to alter the code to bypass security checks. The carmaker found no evidence of prior exploitation, indicating Zveare was the first to report it.
The admin account provided access to over 1,000 dealers across the U.S. Zveare described this access as a silent observation of all dealer data, including financials and private information. One portal feature allowed users to look up vehicle and driver data using a national consumer lookup tool. Using a vehicle identification number from a parked car, Zveare demonstrated identifying the car’s owner. With portal access, any vehicle could be paired with a mobile account, enabling remote control of car functions, like unlocking doors.
Zveare tested this with a friend’s consent, transferring vehicle ownership to an account he controlled, requiring only a declaration of legitimacy. Despite not testing if he could drive the car away, Zveare warned that thieves could exploit this to break into and steal from vehicles. The portal also enabled single sign-on access to other dealers’ systems, allowing admins to impersonate users and access linked dealer systems without credentials. This feature was akin to one found in a Toyota dealer portal in 2023.
Zveare warned of the security risks posed by the impersonation feature. Within the portal, he accessed customer data, financial details, and telematics systems offering real-time tracking of vehicles. He did not test canceling these systems. The flaws were addressed within a week of his disclosure in February 2025. Zveare concluded that the issue stemmed from two simple API vulnerabilities related to authentication, emphasizing the importance of getting authentication right to avoid such security breaches.