A security researcher has uncovered severe vulnerabilities in a major carmaker’s online dealership portal that could have allowed hackers to access sensitive customer data and even remotely unlock vehicles.
Eaton Zveare, a security researcher at software delivery company Harness, told TechCrunch that the flaw enabled the creation of a “national admin” account with unrestricted access to the automaker’s centralized web portal. From there, an attacker could view personal and financial data, track vehicles, and activate features that let them control certain car functions from anywhere.
Zveare, who has previously exposed security gaps in carmaker systems, said he found the bug earlier this year as part of a weekend project. The login system’s code, loaded in the user’s browser, could be modified to bypass authentication checks entirely. The exploit provided access to data from over 1,000 dealers across the U.S., as well as a national consumer lookup tool that could identify a car owner using only their name or VIN number.
In a proof-of-concept test with a friend’s consent, Zveare was able to pair a vehicle with his account, allowing remote unlocking, a vulnerability that could be exploited by car thieves. The portal’s interconnected dealer systems also allowed user impersonation, enabling full access to other dealer accounts without their credentials.
Related: Tesla Hit with $200M in Damages After Autopilot Crash Trial in Florida
The flaws also exposed telematics data, including real-time location tracking for rental, courtesy, and in-transit vehicles. Although Zveare did not test driving control, he warned the risk of abuse was high.
The automaker fixed the issues within a week of his February 2025 disclosure. Zveare stressed that the breach was made possible by just two simple API authentication vulnerabilities, saying:“If you get authentication wrong, everything else falls apart.”
