Hacker praises carmaker’s prompt response to the (mercifully) good-faith pwnage
UPDATED This article was updated on February 13 to remove claims that SHI International created the application (GSPIMS) and helped to patch the vulnerability referenced, in response to a statement from SHI International, which is included at the end of the article
A security researcher said he hacked into Toyota’s supplier management network and was able to access sensitive data associated with around 3,000 suppliers and 14,000 users worldwide.
Eaton Zveare compromised a web application used by Toyota employees and suppliers to coordinate projects, and containing details about parts, surveys, and purchases. Notable partners and suppliers found on the system included Michelin, Continental, and Stanley Black & Decker.
The researcher ultimately gained access to the Japanese carmaker’s Global Supplier Preparation Information Management System (GSPIMS) as a system administrator via a backdoor in the login mechanism.
RELATED Car companies massively exposed to web vulnerabilities
A malicious breach could have exposed comments made by Toyota employees about suppliers and supplier rankings by risk and other variables, said Zveare.
Zveare described the security hole, which Toyota patched quickly, as “one of the most severe vulnerabilities I have ever found”.
Return true;
The path to exploit began by patching the JavaScript code in GSPIMS, an Angular, single-page application.
“Developers control access to Angular routes/pages by implementing CanActivate and CanActivateChild,” said Zveare in a blog post published yesterday (February 6). “Basically, when a user attempts to navigate to a route/page, you would determine if they are allowed to view it, and then return true or false. By patching both to return true, you can usually fully unlock an Angular app.”
He added: “The logout code also needed to be removed to prevent a redirect back to the login page. With those patches applied, the app loads and can be browsed.”
Zveare, who has previously pwned Jacuzzi’s SmartTub app, then leveraged the backdoor via a createJWT HTTP request, which surrendered a JSON Web Token with an email, but no password, provided.
The createJWT API was used for an ‘Act As’ feature that allowed high privileged users to log in as any global user.
Finding a valid email only required a little Googling of Toyota personnel, since Toyota used a predictable format in North America (firstname.lastname@toyota.com).
Total, global control
Initially logged in as a user with a ‘Mgmt – Purchasing’ role, Zveare eventually made it to SysAdmin after finding a rolePrivileges node in the user/details API response, then a findByEmail API endpoint that detailed a user’s managers.
Based on the additional tabs that appeared within the application, it was clear that “with a System Admin JWT, I basically had total, global control over the entire system”, said Zveare.
DON’T MISS Tesla tackles CORS misconfigurations that left internal networks vulnerable
Therefore an attacker could have deleted, modified or leaked data, and abused the data to craft spear phishing campaigns.
Threat actors could have also “added their own user account with an elevated role, to retain access should the issue ever be discovered and fixed”, suggested Zveare.
Bounty recommendation
The researcher alerted Toyota to the backdoor on November 3, 2022, and the carmaker responded the same day, before confirming on November 23 that the issue had been fixed.
Toyota fixed the issue by making the createJWT and findByEmail endpoints return ‘HTTP status 400 – Bad Request’ in all cases.
“I was glad Toyota recognized the severity of the issue and quickly fixed it,” Zveare told The Daily Swig. “Toyota is a huge corporation and it seems like their security team is set up to efficiently address vulnerabilities across all aspects of the company.
“A bounty payment would have been nice, but they did not offer one in this case. I hope they will consider changing this in the future. Recognition is always appreciated, but offering rewards is how you attract top talent and keep exploits off the black market.”
The Daily Swig has invited Toyota to comment – no response yet but we will update the artice if and when they do so.
This article was updated on February 13 to remove assertions that SHI International created the application (GSPIMS) and helped to patch the vulnerability referenced, in response to this statement from SHI International: “SHI International has a trading relationship with Toyota Motor Corporation for the provision of software and hardware. As part of that relationship, SHI International resold software licenses to Toyota. But SHI does not – and never has – created any application for Toyota, nor is SHI International responsible for the deployment, management or configuration of any part of Toyota’s IT infrastructure.”
RECOMMENDED Researcher drops Lexmark RCE zero-day rather than sell vuln ‘for peanuts’
