Zveare found he could penetrate the web portal by generating a JSON Web Token, or JWT, with a corporate Toyota email address, even without a password.
A JWT allows an individual to use a valid authenticated session on a website. Typically, a JWT is issued after a user has logged into a website with an email and password to access secured parts of a website with a verified identity.
To gain a JWT for the portal, Zveare searched the internet for Toyota supply chain employees. Using the format: [email protected], Zveare entered the name of a Toyota employee and found a successful match. After searching the portal, he found an account with system administrator privileges and used that same process to gain read-and-write access to 14,000 corporate Toyota email accounts.
In an email to Automotive News, Zveare, a part-time beekeeper and director of technology at a digital retailer, said Toyota’s retail customers should not be concerned because the hack did not expose any of their personal information.
“On the other hand, Toyota partners/suppliers should be deeply concerned that their corporate email addresses and other information about their Toyota relationship could have been easily dumped and sold on the black market for phishing campaigns or other malicious purposes,” Zveare said.
Zveare is part of a cadre of white hat hackers that go searching for vulnerabilities in hopes of a reward.
Although Toyota appreciated his security research, Zveare didn’t collect the reward he anticipated.
“Given how much profit they make per year, I think they should definitely allocate some to their security teams that they can use to reward researchers,” Zveare said. “While recognition is always appreciated, if you don’t offer money, it might be more appealing for hackers to sell their exploits on the black market.”
Toyota has a formal program for security researchers looking into potential vulnerabilities. Proffitt said that researchers interested in partnering with Toyota are encouraged to visit www.hackerone.com/toyota.
This is the second major security issue Toyota has faced in recent months. In September 2022, white hat auto hacker Sam Curry and other software security researchers were able to gain access to the personal information of Toyota customers via a telematics service provided by SiriusXM.
For all the latest Automobile News Click Here
For the latest news and updates, follow us on Google News.
