Adam Bannister07 February 2023 at 17:34 UTC
Updated: 14 February 2023 at 11:15 UTC
A security researcher recently commended Toyota for its swift action in responding to a reported security vulnerability, which thankfully did not lead to malicious exploitation.
UPDATED: This article was revised on February 13 to address earlier claims regarding SHI International’s role in developing the Global Supplier Preparation Information Management System (GSPIMS) and addressing the cited vulnerability, following SHI International’s response, which is noted at the article’s conclusion.
The researcher, known as Eaton Zveare, reported successfully breaching Toyota’s supplier management system, revealing access to sensitive information related to approximately 3,000 suppliers and 14,000 users around the globe.
Utilizing a compromised web application leveraged by both Toyota staff and suppliers for project coordination, Zveare found extensive details about parts, surveys, and purchases. Noteworthy entities like Michelin, Continental, and Stanley Black & Decker were among those accessible through the system.
Through exploiting a backdoor in the login process, Zveare gained system administrator access to the GSPIMS application.
RELATED: Car companies massively exposed to web vulnerabilities
The breach might have allowed unauthorized disclosure of internal discussions by Toyota employees regarding suppliers, as well as assessments of suppliers based on risk and various factors, according to Zveare.
Zveare characterized the security vulnerability that Toyota swiftly remedied as “one of the most severe vulnerabilities I have ever encountered”.
Exploitation Pathway
The exploit path initiated with modifications to the JavaScript code in GSPIMS, a single-page application built on Angular.
“Developers typically control access to Angular routes/pages by implementing specific conditions,” Zveare explained in a blog post dated February 6. “Once a user seeks access to a route/page, it checks if access is allowed, returning true or false. By modifying both checks to return true, one can typically unlock the entire Angular application.”
He further noted, “The logout feature also needed to be disabled to prevent returning to the login page. After implementing those changes, the application was accessible for browsing.”
Zveare, recognized for previous exploits including one involving Jacuzzi’s SmartTub application, then exploited the backdoor via an HTTP request that retrieved a JSON Web Token associated with an email—without requiring a password.
The API functioned for an ‘Act As’ feature, enabling high privilege users to impersonate any global user.
Locating a valid email was straightforward with a simple search for Toyota personnel, as the company employed a common email format in North America (firstname.lastname@toyota.com).
Global Control Achieved
Initially authenticated as a user with a ‘Mgmt – Purchasing’ designation, Zveare progressed to SysAdmin status upon identifying a rolePrivileges node in the user/details API response, followed by utilizing a findByEmail API endpoint that unveiled managerial details.
From the newly visible tabs within the application, it became apparent that “with a System Admin JWT, I essentially held total, global control over the entire system,” Zveare reported.
DON’T MISS: Tesla tackles CORS misconfigurations that left internal networks vulnerable
Consequently, an attacker might have deleted, altered, or leaked data, potentially using the information to develop spear phishing campaigns.
Moreover, Zveare cautioned that a malicious actor could “create their own user account with an elevated role to maintain access even after the issue was discovered and resolved.”
Bounty Suggestion
Zveare informed Toyota about the backdoor on November 3, 2022, to which the automotive giant promptly replied the same day, confirming on November 23 that the vulnerability was rectified.
Toyota addressed the issue by configuring the createJWT and other relevant endpoints to always return ‘HTTP status 400 – Bad Request’.
“I appreciated that Toyota acted swiftly and recognized the urgency of the situation,” Zveare stated to The Daily Swig. “Given the scale of Toyota, it’s reassuring to see that their security team is well-organized to tackle vulnerabilities across their extensive operations.”
“While a bounty would have been gratifying, none was offered in this circumstance. I trust they will contemplate this for the future. Acknowledgment is valuable, but providing rewards is essential for attracting top-notch talent and preventing exploits from reaching the black market.”
The Daily Swig has reached out to Toyota for comment, but there has been no response yet. Updates will follow as more information becomes available.
This article was amended on February 13 to clarify that SHI International’s role was misrepresented, following their statement: “SHI International has a trading connection with Toyota Motor Corporation for software and hardware provision. As part of that connection, SHI International resold software licenses to Toyota. However, SHI does not, and has never, created any application for Toyota, nor is SHI International responsible for the deployment, management, or configuration of any part of Toyota’s IT infrastructure.”
RECOMMENDED: Researcher drops Lexmark RCE zero-day rather than sell vuln ‘for peanuts’
Based on an article from
