Expert was awarded $10,000 for disclosing XSS flaw to Tesla

Tesla paid $10,000 a researcher that found a stored cross-site scripting (XSS) vulnerability that could have been exploited to change vehicle information.

The security researcher Sam Curry has earned $10,000 from Tesla after reporting a stored cross-site scripting (XSS) flaw that could have been exploited to obtain vehicle information and potentially modify it.

Curry discovered the issue in the software on his Tesla Model 3. He used the XSS Hunter tool to insert a payload in the “Name Your Vehicle” field in the infotainment system.

The XSS Hunter works by hosting specialized XSS probes which, upon firing, scan the page and send information about the vulnerable page to the XSS Hunter service. 

Curiously Carry discovered the XSS issue months later when he used the mobile app to contact Tesla support after his windshield was cracked by a rock.

He was setting up an appointment when he noticed from the XSS Hunter panel that the flaw was triggered. He discovered that some information about the vehicle was collected from a page of Tesla application that was used to see the vital statistics of the car.

The exposed information included the vehicle’s VIN, speed, temperature, version number, whether it was locked or not, tire pressure, and alerts. The data also included other firmware info such as geofense locations, CAN viewers, and configurations.

“The thing that was very interesting was that live support agents have the capability to send updates out to cars and, most likely, modify configurations of vehicles. My guess was that this application had that functionality based off the different hyperlinks within the DOM,” Curry wrote. “I didn’t attempt this, but it is likely that by incrementing the ID sent to the vitals endpoint, an attacker could pull and modify information about other cars.”

“If I were an attacker attempting to compromise this I’d probably have to submit a few support requests but I’d eventually be able to learn enough about their environment via viewing the DOM and JavaScript to forge a request to do exactly what I’d want to do.” he added.

The researcher reported the flaw to Tesla that acknowledged it and addressed it is only 12 hours. Below the timeline of the flaw:

• 20 Jun 2019 06:27:30 UTC – Reported
• 20 Jun 2019 20:35:35 UTC – Triaged, hot fix
• 11 Jul 2019 16:07:59 UTC – Bounty and resolution

Curry was awarded $10,000 for reporting the flaw to Tesla.

“Looking back, this was a very simple issue but understandably something that could’ve been overlooked or regressed somehow. Although I’m unsure of the exact impact of the vulnerability, it seems to have been substantial and at the very least would’ve allowed an attacker to view live information about vehicles and likely customer information,” Curry concludes.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Tesla, XSS)

[adrotate banner=”5″]

[adrotate banner=”13″]