Car Portal Vulnerability Raises Data and Safety Concerns

A major automaker’s online dealership portal was found leaking sensitive customer and vehicle data, raising serious security concerns. 
 
Researcher Eaton Zveare discovered the flaw, which allowed him to bypass login security checks and create a national administrator account. 
 
This account provided access to dealership data, consumer lookup tools, and even the ability to remotely control vehicles.
 
 
By using a car’s VIN number—easily visible on windshields—Zveare could identify owners and pair vehicles with mobile accounts. 
 
This meant attackers could potentially unlock cars and steal belongings. 

 
Although Zveare did not attempt to drive a vehicle, the flaw created a real risk of theft and stalking.
 
The portal also exposed personally identifiable customer information, some financial records, and telematics systems capable of tracking real-time vehicle locations. 
 
Alarmingly, administrator accounts could impersonate dealership staff without needing credentials, expanding the scope of the breach.
 
While the expert found no evidence of malicious exploitation, he stressed the vulnerabilities were a “nightmare waiting to happen.” 
 
The automaker fixed the flaws within a week.
Experts advise car owners to limit in-car data storage, update software, review app access, and inspect vehicles for trackers to safeguard privacy.