Security Flaws in Auto Manufacturer’s Web Portal Allow Hackers to Remotely Unlock Vehicles Worldwide

A security researcher has disclosed that vulnerabilities in a car manufacturer’s online dealership platform have put sensitive customer information and vehicle data at risk, potentially giving hackers remote access to customers’ vehicles.

Eaton Zveare, a security researcher with software delivery firm Harness, informed TechCrunch that the flaw he discovered allowed for the creation of an admin account, granting “unrestricted access” to the unnamed carmaker’s centralized web platform.

This kind of access could enable a malicious individual to view personal and financial details of the carmaker’s clients, track vehicles, and sign customers up for features that allow owners—or hackers—to control various car functions remotely.

Zveare chose not to identify the vendor, indicating it was a prominent automaker with several well-known sub-brands.

In an interview with TechCrunch prior to his presentation at the Def Con security conference in Las Vegas, Zveare elaborated on how these vulnerabilities underscore the security weaknesses present in dealership systems that grant extensive access to customer and vehicle information for employees and partners.

Zveare, who has previously identified vulnerabilities in automotive customer and vehicle management systems, discovered this flaw earlier this year during a weekend project, as he told TechCrunch.

He noted that while identifying the security issues in the portal’s login system was challenging, he eventually circumvented the login entirely by creating a new “national admin” account.

The problems were critical because the flawed code was executed in the user’s browser while accessing the portal’s login page, allowing the user—Zveare in this instance—to alter the code and bypass the login security measures. Zveare disclosed to TechCrunch that the carmaker found no signs of any prior exploitations, suggesting he was the first to discover and report the vulnerability.

Once logged in, the account provided access to over 1,000 of the carmaker’s dealerships throughout the U.S., as Zveare pointed out.

“No one even realizes you’re quietly accessing all of these dealers’ data, which includes their financials, sensitive information, and leads,” Zveare explained regarding the access he had.

Zveare found a national consumer lookup tool within the dealership portal that allowed logged-in users to check vehicle and driver data for that specific automaker.

In one instance, Zveare used a vehicle’s unique identification number from a car parked in a public lot to identify the car’s owner. He noted that the tool could enable anyone to look up a person using just a customer’s first and last name.

With access to the portal, Zveare also highlighted the ability to connect any vehicle to a mobile account, offering customers the option to manage certain car functions remotely via an app, such as unlocking their vehicles.

Zveare tested this with a friend’s account, with their consent. He mentioned that transferring ownership to an account he controlled required just a simple confirmation—essentially a “pinky promise”—that the user carrying out the transfer was legitimate.

“For my purposes, I simply asked a friend who agreed to let me take over their car, and I went from there,” Zveare recounted. “But [the portal] could technically do this to anyone merely by knowing their name—which is rather unsettling—or I could easily target vehicles in parking lots.”

While Zveare didn’t experiment with whether he could drive the car away, he indicated that this vulnerability could be exploited by thieves to break into cars and steal belongings, for instance.

Another pressing issue with accessing this carmaker’s portal was that it provided entry to other dealers’ systems linked through single sign-on. Zveare explained that the carmaker’s dealer systems were interconnected, allowing easy navigation from one system to another.

Moreover, the portal included a feature that allowed admins, such as the account Zveare created, to “impersonate” other users, thereby gaining access to other dealer systems as if they were that user without needing their login details. Zveare remarked that this feature was reminiscent of something uncovered in a Toyota dealer portal in 2023.

“These are just security disasters waiting to happen,” Zveare commented about the impersonation feature.

Once inside the portal, Zveare came across personally identifiable customer information, some financial details, and telematics systems that allowed real-time tracking of rental or courtesy cars, as well as vehicles in transit across the country, with the option to cancel them—though Zveare chose not to test that functionality.

Zveare reported that the vulnerabilities were remedied within a week in February 2025, shortly after he alerted the carmaker.

“The lesson learned is that just two simple API vulnerabilities opened the floodgates, and it always comes back to authentication,” Zveare concluded. “If you mismanage that, everything crumbles.”