Cracked screen support ticket exposes blind XSS vuln
A cracked windshield indirectly led to security researcher Sam Curry discovering a blind cross site-scripting (XSS) vulnerability on Tesla’s website.
Curry had been playing around with the ‘Name Your Vehicle’ functionality of his Tesla Model 3. Initially, he nicknamed his car ‘%x.%x.%x.%x’ to see if it was vulnerable to format string attacks that previously affected the 2011 BMW 330i.
Having discovered there was no problem on that front, Curry decided to nickname his Tesla according to a payload from the XSS Hunter utility.
Tesla was flexible in allowing a long input length for the nickname, and didn’t object to the inclusion of JavaScript within it.
Curry continued toying around with the other functionalities on the car, forgetting he’d set his vehicle’s name as a blind XSS payload.
Cracking the code
Several weeks later, Curry had a minor accident that left him with a cracked windshield on his electric car. He used Tesla’s in-app support to set up an appointment and continued driving.
The support ticket Curry had created resulted in the blind XSS script he’d left as the car’s nickname executing in the Tesla support worker’s browser.
“One of the agents responding to my cracked windshield fired my XSS hunter payload from within the context of the ‘garage.vn.teslamotors.com’ domain,” Curry explained in a blog post related to his finding.
The mistake Tesla had made – which it has since corrected – was to allow a vehicle name containing JavaScript to be displayed on an internal support dashboard, resulting in the execution of code because of a blind XSS vulnerability.
“The screenshot attached to the XSS hunter showed that the page was used to see the vital statistics of the vehicle and was accessed via an incremental vehicle ID in the URL,” Curry writes.
“The referrer header had my vehicle’s VIN number as an argument.”
RELATED School’s out: Meet the teen hackers swapping books for bugs
The returned information also featured tabs about firmware, CAN viewers, geofence locations, configurations, and internal code names.
The ‘garage.vn.teslamotors.com’ URL timed out when Curry tried to access it, and probably pointed to an internal application.
“I didn’t attempt this, but it is likely that by incrementing the ID sent to the vitals endpoint, an attacker could pull and modify information about other cars,” Curry said.
“If I were an attacker attempting to compromise this, I’d probably have to submit a few support requests, but I’d eventually be able to learn enough about their environment via viewing the DOM and JavaScript to forge a request to do exactly what I’d want to do.”
Curry reported his findings to Tesla through its bug bounty program. The electric car firm responded commendably quickly, confirming there was a problem and rolling out a hot fix within 12 hours, Curry reports.
Curry earned $10,000 from his finding. Tesla’s handling confirmed that the issue was treated as serious internally, but its exact impact remains something of a mystery.
Curry concludes: “Although I’m unsure of the exact impact of the vulnerability, it seems to have been substantial and at the very least would’ve allowed an attacker to view live information about vehicles and likely customer information.”
The Daily Swig asked Tesla to comment on this issue. We’ll update this story as and when more information comes to hand.
RELATED Bug Bounty Radar // June 2019
