Adam Bannister07 February 2023 at 17:34 UTC
Updated: 14 February 2023 at 11:15 UTC
A security expert commended Toyota for its quick action in response to a recently disclosed vulnerability.
In a significant development, the researcher revealed that they had successfully infiltrated Toyota’s supplier management network, gaining access to sensitive information from approximately 3,000 suppliers and 14,000 users globally.
Eaton Zveare, the researcher, managed to breach a web application utilized by Toyota’s employees and suppliers for project coordination, which included crucial data about components, surveys, and procurement. The system contained details about notable partners such as Michelin, Continental, and Stanley Black & Decker.
By exploiting a backdoor in the login process, Zveare obtained system administrator access to the Global Supplier Preparation Information Management System (GSPIMS).
UPDATED This article was revised on February 13 to clarify that SHI International was not responsible for developing the GSPIMS application or assisting in addressing the identified vulnerability, in light of a statement from SHI International, included at the conclusion of this article.
The researcher highlighted that a serious breach could have compromised comments made by Toyota personnel regarding suppliers, including evaluations based on risk and other criteria.
Zveare characterized the vulnerability as “one of the most severe vulnerabilities I have ever encountered,” and praised Toyota for promptly closing the security gap.
Exploitation Methodology
The attack began with a modification of the JavaScript code in GSPIMS, an Angular single-page application.
“Developers typically manage access to Angular routes and pages through specific controls,” Zveare explained in a blog post published on February 6. “By altering the logic to return true in access checks, an attacker can effectively unlock the application.”
He further noted the need to modify the logout functionality to avoid redirects to the login page, allowing the app to be navigated freely.
Utilizing this backdoor through an HTTP request, Zveare received a JSON Web Token linked to an email, without requiring a password.
The API in question facilitated an ‘Act As’ feature, enabling high-privileged users to log in impersonating any global user.
Finding a valid email was straightforward, as Toyota employed a predictable format within their North American operations (firstname.lastname@toyota.com).
Complete System Access
Initially accessing the system as a user with a ‘Mgmt – Purchasing’ role, Zveare eventually escalated his privileges to SysAdmin by identifying a rolePrivileges node in the user/details API response, followed by a findByEmail API endpoint revealing user managerial information.
The discovery of additional options within the application indicated that “with a System Admin JWT, I essentially had total, global control over the entire system,” stated Zveare.
This level of access could have led to the modification, deletion, or unauthorized sharing of data, as well as crafting phishing attacks.
Zveare warned that attackers could have created their own accounts with elevated privileges to maintain access even after the vulnerability was addressed.
Proactive Response and Recommendations
On November 3, 2022, the researcher notified Toyota about the backdoor, and the car manufacturer took immediate action, confirming that the issue was resolved by November 23.
Toyota addressed the vulnerability by modifying the createJWT and other endpoints to consistently return an ‘HTTP status 400 – Bad Request’ regardless of the circumstances.
“I appreciated that Toyota quickly recognized the gravity of the problem and acted to mitigate it,” Zveare remarked to The Daily Swig. “Given Toyota’s size, it’s clear that their security team is adept at efficiently managing vulnerabilities across the organization.”
Although Zveare expressed hope for a bounty in recognition of his efforts, he acknowledged the lack of such an offer in this instance. “While appreciation is valued, providing rewards is essential to attract top talent and deter exploits from reaching the black market.”
The Daily Swig has reached out to Toyota for comments; no response has been received yet, but updates will follow if and when one is provided.
This article was updated on February 13 to clarify previous claims regarding SHI International’s role in relation to GSPIMS, based on a statement from the organization emphasizing their lack of involvement in the creation or management of any application for Toyota.
Based on an article from portsweigger.net: https://portswigger.net/daily-swig/toyota-sealed-up-a-backdoor-to-its-global-supplier-management-network
