Toyota sealed up a backdoor to its global supplier management network

A hacker commended Toyota for their swift action in response to the recent incident involving a security breach, which fortunately appeared to be executed in good faith.

Update: This article was recently amended on February 13 to clarify that SHI International did not create the GSPIMS application or assist in patching the mentioned vulnerability, per a formal statement from SHI International included at the article’s conclusion.

A security researcher disclosed that he successfully infiltrated Toyota’s supplier management infrastructure, gaining access to critical information regarding approximately 3,000 suppliers and 14,000 users worldwide.

Eaton Zveare exploited a web application utilized by Toyota employees and partners for project coordination, which included detailed information about components, surveys, and purchases. Notable entities integrated into this platform were Michelin, Continental, and Stanley Black & Decker.

The researcher attained administrative access to Toyota’s Global Supplier Preparation Information Management System (GSPIMS) through a backdoor in the login procedure.

Related: Car manufacturers heavily vulnerable to web threats

A potential malicious intrusion could have disclosed sensitive remarks from Toyota employees regarding suppliers and evaluations based on risk and other criteria, noted Zveare.

Zveare characterized the security flaw, which Toyota rapidly addressed, as “one of the most severe vulnerabilities I have ever encountered.”

Path to Exploitation

The exploitation journey commenced with modifications to the JavaScript code within GSPIMS, an Angular-based single-page application.

“Developers regulate access to Angular routes/pages by implementing checks to return true or false,” Zveare explained in a blog post from February 6. “In essence, when a user tries to navigate to a specific page, you determine their access rights and respond accordingly. By ensuring both checks return true, the Angular application can be fully unlocked.”

He further noted, “The logout functionality also needed to be disabled to avoid redirection to the login screen. Once those adjustments were made, the application became accessible for browsing.”

Zveare, who has previously exploited Jacuzzi’s SmartTub app, later used the backdoor through an HTTP request that revealed a JSON Web Token containing an email address, but no password was required.

The API employed was linked to an ‘Act As’ feature permitting users with higher privileges to log in as any global user.

Locating a valid email was straightforward by searching through Toyota staff details, as the company maintained a consistent format for personnel emails in North America (firstname.lastname@toyota.com).

Complete Control Worldwide

Initially logging in as a user assigned a ‘Mgmt – Purchasing’ role, Zveare eventually escalated privileges to System Administrator after identifying a rolePrivileges node in the user/details API response, followed by a findByEmail API endpoint that listed a user’s supervisors.

Based on the additional features visible within the application, Zveare confirmed that “with a System Admin JWT, I effectively had total global control over the entire system.”

Don’t Miss: Tesla addresses CORS misconfigurations that compromised internal networks

Any attacker would have had the capability to delete, modify, or disclose data, and use the information to organize spear phishing attempts.

Threat actors could have “added their own user account with elevated permissions, ensuring continual access even after the issue was rectified,” Zveare suggested.

Safety Recommendation

The researcher informed Toyota about the backdoor on November 3, 2022, with the automaker responding on the same day, confirming by November 23 that the issue had been resolved.

Toyota addressed the matter by altering the createJWT and corresponding endpoints to always return ‘HTTP status 400 – Bad Request’.

“I appreciated Toyota’s recognition of the issue’s severity and their prompt resolution,” Zveare remarked to The Daily Swig. “Toyota is a large organization, and it appears their security team is well-equipped to efficiently handle vulnerabilities across the company’s spectrum.”

“A bounty reward would have been desirable, but none was offered in this case. I hope future considerations will lead to such changes. While acknowledgment is valuable, offering incentives is essential for attracting top talent and preventing exploits from entering the underground market.”

The Daily Swig has reached out to Toyota for comments; there has been no response so far, but the article will be updated if and when they do.

This article was revised on February 13 to eliminate claims that SHI International was responsible for creating the GSPIMS application or for patching the referenced vulnerability, according to this statement from SHI International: “SHI International has a trading relationship with Toyota Motor Corporation for the provision of software and hardware. In this collaboration, SHI International resold software licenses to Toyota. However, SHI has never created any application for Toyota nor is SHI International responsible for the deployment, management, or configuration of any aspect of Toyota’s IT infrastructure.”

Recommended: Researcher relinquishes Lexmark RCE zero-day instead of selling the vulnerability for a trivial amount