{“lastseen”:”2025-08-11T14:03:35″,”description”:”A carmaker\u2019s online dealership portal has been found leaking the private information and vehicle data of its customers. This also meant that anyone with access could remotely break into a car.\\n\\nResearcher Eaton Zveare shared his discovery with TechCrunch. Although he said he has chosen not to disclose the vendor’s name, he revealed that it is a well-known automaker with several popular sub-brands and more than 1,000 dealerships across the United States.\\n\\nZveare says it wasn\u2019t easy to find the flaw, but once he did, it allowed him to modify the code at the portal\u2019s login page so he could bypass the login security checks. This permitted him to create a new national administrator account.\\n\\nNot only did this allow him to access all the data of these dealerships, he also found a national consumer lookup tool that allowed any logged-in portal user to look-up the vehicle and driver data of that carmaker.\\n\\nReal life tests learned that taking a vehicle\u2019s unique identification number (VIN) from the windshield of a car allowed anyone with access to the portal to look up the name of the owner. It was also possible to pair any vehicle with a mobile account which could then be used to remotely control a car\u2019s functions, such as unlocking the vehicle.\\n\\nSince both a VIN or someone\u2019s first and last name were enough to find and transfer ownership of an account to one under control of an attacker, they would\u2014at least\u2014be able to open the car and steal everything inside. The researcher did not test whether he was able to drive away in it.\\n\\nAlthough he found no evidence of anyone else exploiting the flaw, the portals were a security nightmare waiting to happen. It even allowed administrator accounts, such as the one he was able to create, access to other dealer systems as if they were that user without needing their logins, and found personally identifiable customer data, some financial information, and telematics systems that allowed the real-time location tracking of rental or courtesy cars.\\n\\nAs we have said before, this is exactly the sort of thing the Federal Communications Commission (FCC) wants car manufacturers to make harder for stalkers, not easier.\\n\\nZveare will be presenting his findings at Defcon. He reported the bugs he found to the car maker, and says it took them a week to fix them.\\n\\n## Tips to keep a stalker from tracking your car\\n\\nNot all cars offer these options, and the tips may not apply to your situation, but here are some general tips for people that are afraid they are the target of a stalker:\\n\\n * Use the navigation app on your phone (such as Google Maps, Waze, etc), rather than the one built into your car.\\n * Do not store places you visit regularly in the car\u2019s navigation.\\n * Consider using a VPN when you connect to your car\u2019s hotspot.\\n * Find out which devices can access the car or its location data using any \u201cremote access\u201d apps for the car, and remove the devices that are not under your control.\\n * Familiarize yourself with the car manufacturer\u2019s privacy policy so you know where your data might be sent. To give you an idea, data might end up with advertisers, law enforcement, service providers, the car manufacturer and its dealers, tech giants like Apple, Google, and Amazon, connected service providers, and government agencies.\\n * Keep the software updated to make sure your car is equipped with the latest protection against potential intrusions.\\n * If a suspected stalker has been near your vehicle, inspect it thoroughly for trackers and other unfamiliar hardware.\\n * Try not to travel alone and always park in a well-lit, busy area if you are concerned about your physical safety.\\n * If you have a dashcam that uses cloud storage, check who has access to the images. They can be used to track your movements.\\n\\n\\n\\n* * *\\n\\n**We don\u2019t just report on threats\u2014we remove them**\\n\\nCybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.”,”published”:”2025-08-11T13:18:09″,”modified”:”2025-08-11T13:18:09″,”type”:”malwarebytes”,”title”:”Online portal exposed car and personal data, allowed anyone to remotely unlock cars”,”source”:””,”references”:””,”id”:”MALWAREBYTES:BD0A25056397D4D1BC95B5036F59E150″,”bulletinFamily”:”blog”,”cwe”:null,”cvelist”:[],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.malwarebytes.com\/blog\/news\/2025\/08\/online-portal-exposed-car-and-personal-data-allowed-anyone-to-remotely-unlock-cars”,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2025-08-11T14:03:35″,”description”:”A carmaker\u2019s online dealership portal has been found leaking the private information and vehicle data of its customers. This also meant that anyone with access…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,12,115,13,33,7,11,5],"class_list":["post-10359","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-exploit","tag-malwarebytes","tag-news","tag-none","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n