Toyota sealed up a backdoor to its global supplier management network

A cybersecurity researcher commended the quick response from Toyota following a reported vulnerability.

An image to illustrate the topic is provided below:

UPDATE: This article was modified on February 13 to clarify that SHI International did not create the GSPIMS application nor assist in patching the vulnerability as originally claimed. A statement from SHI is included at the conclusion of this article.

A researcher revealed that he successfully infiltrated Toyota’s supplier management network, gaining access to sensitive information concerning approximately 3,000 suppliers and 14,000 users globally.

J. Eaton Zveare exploited a web application utilized by Toyota employees and suppliers in project coordination, which held information about parts, surveys, and procurement. Prominent partners and suppliers like Michelin, Continental, and Stanley Black & Decker were identified within the system.

The researcher managed to access Toyota’s Global Supplier Preparation Information Management System (GSPIMS) as a system administrator through a backdoor in the login framework.

RELATED: Car companies highly vulnerable to web exploits

A potential malicious breach could have revealed internal discussions by Toyota employees regarding suppliers and rankings based on various risk factors, warned Zveare.

Zveare described the security flaw, which Toyota promptly addressed, as “one of the most severe vulnerabilities I’ve encountered.”

Exploiting The API

The exploit pathway originated from modifying the JavaScript code in GSPIMS, which is an Angular-based single-page application.

“Developers manage access to Angular routes/pages by implementing controls to allow or deny user access,” Zveare explained in a blog post dated February 6. “Effectively, if a user attempts to access a route/page, determining their permission status and returning true or false is crucial. By altering both responses to return true, full access to the Angular app can be achieved.”

He added: “Removing the logout function was also necessary to prevent redirection to the login page. With these adjustments, the application became accessible and could be navigated.”

Zveare, previously known for compromising Jacuzzi’s SmartTub app, then utilized the backdoor to send an HTTP request, resulting in a JSON Web Token containing an email without a password.

An API was available for an ‘Act As’ feature, permitting highly privileged users to log in as any global user.

Identifying a valid email was straightforward through a simple Google search of Toyota employees, as they followed a predictable format in North America (firstname.lastname@toyota.com).

Full System Access

Zveare initially logged in with a ‘Mgmt – Purchasing’ role but soon escalated privileges to SysAdmin after discovering a rolePrivileges node in the user/details API response and a findByEmail API endpoint that provided managerial details.

With access as a System Admin JWT, Zveare noted that he essentially had comprehensive control of the entire system.

DON’T MISS: Tesla address CORS settings that rendered internal networks vulnerable

This control could have enabled an attacker to delete, alter, or leak data and create specialized spear phishing campaigns based on the accessed information.

Moreover, attackers might have “created their user account with enhanced privileges, ensuring persistent access in case the vulnerability was noted and resolved,” Zveare indicated.

Recommendation for Rewards

Zveare notified Toyota of the backdoor on November 3, 2022, with the company responding the same day and confirming on November 23 that the issue had been addressed.

Toyota remediated the concern by adjusting the createJWT and relevant endpoints to always return ‘HTTP status 400 – Bad Request’.

“I appreciated Toyota’s swift acknowledgment of the issue’s severity and their prompt remediation,” Zveare remarked to The Daily Swig. “As a large corporation, it appears that Toyota’s security team is well-equipped to address vulnerabilities efficiently across the company’s operations.

“While a bounty reward would have been welcome, it was not offered in this instance. I encourage them to reconsider this in the future. Recognition is valuable, but offering incentives is a solid strategy to attract skilled talent and prevent vulnerabilities from circulating on the black market.”

The Daily Swig has reached out to Toyota for a comment and will update the article upon receiving a response.

This article was revised on February 13 to remove statements claiming SHI International’s involvement in the creation or management of the GSPIMS application. The statement from SHI International clarifies: “SHI International has a trading relationship with Toyota Motor Corporation for providing software and hardware. However, SHI does not – and never has – developed any applications for Toyota, nor assumes responsibility for any aspects of Toyota’s IT infrastructure.”

RECOMMENDED: Researcher releases Lexmark RCE zero-day instead of selling the vulnerability for a low price