A security researcher revealed that vulnerabilities in a carmaker’s online dealership portal exposed customers’ private information and vehicle data, potentially allowing hackers to remotely access any of its customers’ vehicles. Eaton Zveare, a security researcher at software delivery company Harness, discovered the flaw, which enabled the creation of an admin account with unrestricted access to the unnamed automaker’s centralized web portal.
With this access, a malicious actor could view customers’ personal and financial data, track vehicles, and enroll them in features that allow remote control of certain car functions. Zveare chose not to name the automaker but described it as a widely known company with several popular sub-brands.
In an interview ahead of his talk at the Def Con security conference in Las Vegas, Zveare emphasized the risks posed by dealership systems, which grant employees broad access to sensitive customer and vehicle data. He found the flaw earlier this year as part of a weekend project, building on his prior discoveries of vulnerabilities in carmakers’ systems.
The security flaws in the portal’s login system were difficult to detect but allowed Zveare to bypass authentication entirely by creating a new “national admin” account. The vulnerabilities stemmed from buggy code loaded in the user’s browser when accessing the login page, enabling modifications to bypass security checks. The carmaker found no evidence of prior exploitation, indicating Zveare was the first to report the issue.
Once logged in, the admin account provided access to over 1,000 dealerships across the U.S. Zveare described the ability to silently view dealers’ financial records, private data, and customer leads without detection.
Inside the portal, he discovered a national consumer lookup tool that allowed users to search for vehicle and driver information using a car’s unique identification number or even just a customer’s first and last name. In one test, Zveare used a VIN from a parked car to identify its owner.
The portal also permitted pairing any vehicle with a mobile account, enabling remote control of car functions like unlocking doors. Zveare demonstrated this by transferring ownership of a friend’s car with their consent, noting that the process only required a simple attestation—effectively a “pinky promise”—without rigorous verification.
Another concerning feature was single sign-on access to interconnected dealer systems, allowing admins to impersonate other users and gain unauthorized entry into linked platforms. Zveare compared this to a similar vulnerability found in a Toyota dealer portal in 2023.
Within the portal, Zveare accessed personally identifiable customer data, financial details, and telematics systems that tracked the real-time location of rental and shipped vehicles. While he could have canceled shipments, he refrained from testing this capability.
The carmaker fixed the vulnerabilities within a week in February 2025 after Zveare’s disclosure. He highlighted the broader issue, stating that just two simple API flaws related to authentication could compromise an entire system. “If you get authentication wrong, everything falls apart,” he concluded.