A major unnamed automaker’s online dealership portal exposed private customer data and vehicle controls due to a critical security flaw.
Security researcher Eaton Zveare, from software delivery firm Harness, discovered the bug earlier this year. The flaw let him create a “national admin” account that bypassed all login checks, granting unrestricted access to the portal used by over 1,000 dealers in the US.
From this account, Zveare accessed personal info, financials, and could track vehicles in real time. He even used a Vehicle Identification Number (VIN) seen on a windshield in public to find the owner’s name through the portal’s consumer lookup tool. 
Zveare also demonstrated transferring a car’s remote control app to his own account, requiring only a simple attestation—a “pinky promise”—to confirm the transfer. This could let hackers remotely unlock or control cars, though Zveare did not test driving capabilities.
The portal linked dealer systems through single sign-on with “user impersonation” features. This allowed the admin account to access other dealers’ systems without credentials—a security nightmare Zveare compared to a Toyota portal flaw disclosed earlier this year.
“No one even knows that you’re just silently looking at all of these dealers’ data, all their financials, all their private stuff, all their leads,” Eaton Zveare stated.
“For my purposes, I just got a friend who consented to me taking over their car, and I ran with that,”
“But [the portal] could basically do that to anyone just by knowing their name — which kind-of freaks me out a bit — or I could just look up a car in the parking lots.”
“They’re just security nightmares waiting to happen,” Zveare said about the impersonation feature.
The researcher told TechCrunch the buggy login code ran fully in the user’s browser, allowing code modifications to bypass security checks. There was no sign of previous exploitation.
Zveare reported the issue to the automaker, who fixed the vulnerabilities in about a week by February 2025.
“The takeaway is that only two simple API vulnerabilities blasted the doors open, and it’s always related to authentication,” Zveare said.
“If you’re going to get those wrong, then everything just falls down.”
Zveare will discuss the flaws further at the Def Con security conference in Las Vegas this Sunday.
Read more about Zveare’s previous carmaker hacks on Toyota’s c360 system and Toyota dealer portal.
