A carmaker's online dealership portal was found leaking private customer information and vehicle data, allowing unauthorized access to remotely control car functions. A researcher discovered a flaw enabling the creation of an administrator account, granting access to customer data, financial details, and real-time location tracking of vehicles. The vulnerability also permitted pairing vehicles with mobile accounts to unlock cars, posing significant risks of theft and privacy breaches. The automaker fixed the issue after a week of reporting.
TPRM report: https://www.rankiteo.com/company/volkswagen-of-america-inc
"id": "vol225081225",
"linkid": "volkswagen-of-america-inc",
"type": "Breach",
"date": "8/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'industry': 'Automotive',
'location': 'United States',
'size': 'Large (over 1,000 dealerships)',
'type': 'Automaker'}],
'attack_vector': 'Code modification at login page, bypassing security checks',
'customer_advisories': ['Tips to prevent stalking via car tracking'],
'data_breach': {'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High',
'type_of_data_compromised': 'Personally identifiable '
'information, financial '
'information, vehicle data, '
'telematics data'},
'description': 'A carmaker’s online dealership portal was found leaking '
'private customer information and vehicle data, allowing '
'remote access to cars. A researcher discovered a flaw that '
'permitted bypassing login security checks, creating a '
'national administrator account, and accessing sensitive data, '
'including real-time location tracking of vehicles.',
'impact': {'brand_reputation_impact': 'Negative due to security flaws and '
'potential stalking risks',
'data_compromised': 'Personally identifiable information, '
'financial information, vehicle data, '
'telematics data',
'identity_theft_risk': 'High',
'operational_impact': 'Potential unauthorized vehicle access and '
'control',
'payment_information_risk': 'Moderate',
'systems_affected': 'Online dealership portal, telematics systems, '
'remote vehicle control systems'},
'initial_access_broker': {'entry_point': 'Online dealership portal login page',
'high_value_targets': 'Customer data, vehicle '
'control systems'},
'investigation_status': 'Resolved',
'lessons_learned': 'Importance of securing online portals and access '
'controls, especially in automotive telematics systems.',
'motivation': 'Research, responsible disclosure',
'post_incident_analysis': {'corrective_actions': 'Security patches applied',
'root_causes': 'Login bypass vulnerability, '
'improper access controls'},
'recommendations': ['Use phone navigation apps instead of built-in car '
'navigation',
'Avoid storing frequent locations in car navigation',
'Use VPN when connecting to car hotspots',
'Remove unauthorized devices from remote access apps',
'Review car manufacturer’s privacy policy',
'Keep car software updated',
'Inspect vehicle for trackers',
'Avoid traveling alone if concerned about safety',
'Check dashcam cloud storage access'],
'references': [{'source': 'TechCrunch'}],
'response': {'containment_measures': 'Bug fixes implemented',
'incident_response_plan_activated': 'Yes',
'remediation_measures': 'Security patches applied'},
'threat_actor': 'Eaton Zveare (Researcher)',
'title': "Carmaker's Online Dealership Portal Data Leak and Remote Vehicle "
'Access Vulnerability',
'type': 'Data Leak, Unauthorized Access, Remote Exploitation',
'vulnerability_exploited': 'Login bypass vulnerability, improper access '
'controls'}