The security researcher Sam Curry has earned $10,000 from Tesla after reporting a stored cross-site scripting (XSS) flaw that could have been exploited to obtain vehicle information and potentially modify it.
Curry discovered the issue in the software on his Tesla Model 3. He used the XSS Hunter tool to insert a payload in the “Name Your Vehicle” field in the infotainment system.
The XSS Hunter works by hosting specialized XSS probes which, upon firing, scan the page and send information about the vulnerable page to the XSS Hunter service.
Curiously Carry discovered the XSS issue months later when he used the mobile app to contact Tesla support after his windshield was cracked by a rock.
He was setting up an appointment when he noticed from the XSS Hunter panel that the flaw was triggered. He discovered that some information about the vehicle was collected from a page of Tesla application that was used to see the vital statistics of the car.
The exposed information included the vehicle’s VIN, speed, temperature, version number, whether it was locked or not, tire pressure, and alerts. The data also included other firmware info such as geofense locations, CAN viewers, and configurations.
“The thing that was very interesting was that live support agents have the capability to send updates out to cars and, most likely, modify configurations of vehicles. My guess was that this application had that functionality based off the different hyperlinks within the DOM,” Curry wrote. “I didn’t attempt this, but it is likely that by incrementing the ID sent to the vitals endpoint, an attacker could pull and modify information about other cars.”
“If I were an attacker attempting to compromise this I’d probably have to submit a few support requests but I’d eventually be able to learn enough about their environment via viewing the DOM and JavaScript to forge a request to do exactly what I’d want to do.” he added.
The researcher reported the flaw to Tesla that acknowledged it and addressed it is only 12 hours. Below the timeline of the flaw:
Curry was awarded $10,000 for reporting the flaw to Tesla.
“Looking back, this was a very simple issue but understandably something that could’ve been overlooked or regressed somehow. Although I’m unsure of the exact impact of the vulnerability, it seems to have been substantial and at the very least would’ve allowed an attacker to view live information about vehicles and likely customer information,” Curry concludes.
[adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – Tesla, XSS)
[adrotate banner=”5″]
[adrotate banner=”13″]
A critical Remote Code Execution vulnerability in the Tinyproxy service potentially impacted 50,000 Internet-Exposing hosts.…
The UK Ministry of Defense disclosed a data breach at a third-party payroll system that…
The FBI, UK National Crime Agency, and Europol revealed the identity of the admin of…
MITRE published more details on the recent security breach, including a timeline of the attack…
Alexander Vinnik, a Russian operator of virtual currency exchange BTC-e pleaded guilty to participating in…
The City of Wichita in Kansas was forced to shut down its computer systems after…
This website uses cookies.