Researcher compromised the Toyota Supplier Management Network

The infrastructure of Toyota was compromised again, this time its global supplier management network was hacked by a researcher.

The security researcher Eaton Zveare has exploited a vulnerability in Toyota’s Global Supplier Preparation Information Management System (GSPIMS) to achieve system admin access to Toyota’s global supplier management network.

The GSPIMS portal allows employees and suppliers to access to ongoing projects, surveys, information on purchases.

A JSON Web Token (JWT) is a sort of session token that represents a user’s valid authenticated session on a website. A user can usually get a JWT after logging into a website using his email and password

The analysis of the GSPIMS app allowed the researcher to discover a function named “GenerataJWT” that allows to generate a JWT based on a provided valid email address without providing any password.

The researcher pointed out that Corporate Toyota emails are easy to guess because use a predictable format (firstname.lastname@toyota.com) in North America. It was easy for the expert to find Toyota employees with Google queries, he also focused on the research of employees registered in the GSPIMS system. Once discovered the employee, Zveare was able to a createJWT HTTP request that returned a valid JWT.

The expert used the JWT to access the GSPIMS portal and after gaining access to the platform he discovered an account with system administrator privileges.

“Checking the managers of the managers, etc. made it easy to find accounts that had elevated access to the system. Eventually I found a North America Regional Admin. That gave me access to the User Administration section. I then poked around more and found users with even higher access, such as Supplier Admin, Global Admin, and finally, System Admin.” reads a post published by the expert. “In the GSPIMS settings, the tabs that appear are dependent on your role. There’s Regional Settings for Regional Admins, Global Settings for Global Admins, and System Admin Settings for System Admins. System Admins can access all the tabs.”

The researcher was able to obtain access to a system admin account that gave him full access to the system. The expert gained access to information on over 14,000 user accounts, information related to all available projects, surveys, and classified documents.

“I discovered what was essentially a backdoor login mechanism in the Toyota GSPIMS website/application that allowed me to log in as any corporate Toyota user or supplier just by knowing their email. I eventually uncovered a system administrator email and was able to log in to their account. Once that was done, I had full control over the entire global system.” concludes the expert.

Zveare reported the flaw to Toyota on November 3, 2022, and the company confirmed the vulnerability was fixed on November 23, 2022.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Toyota)