Security flaws in a major carmaker’s dealer web portal allowed a hacker to remotely unlock vehicles and access sensitive customer information from anywhere in the world.
Security researcher Eaton Zveare discovered the vulnerability after finding flawed login code that loaded directly in the browser. By exploiting this weakness, he was able to create a “national admin” account, bypassing authentication and gaining full control of the portal.
With this level of access, Zveare could view personal and financial details of customers, track vehicles, and even link cars to his own account for remote unlocking without the owner’s consent. The breach affected over 1,000 dealership locations across the United States, and the system’s single sign on feature made it possible to impersonate other users and move through dealer networks undetected.
The flaw was reported privately to the carmaker and was fixed in February 2025. According to Zveare, there is no evidence that the vulnerability was exploited before his discovery.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
