A cybersecurity researcher uncovered flaws in a major carmaker’s online dealership portal that could have exposed customer information and vehicle data and allowed hackers to remotely unlock cars, TechCrunch reported.
Eaton Zveare, a researcher at software delivery firm Harness, told TechCrunch the vulnerability “allowed me to create an administrator account with complete access to the system.” The portal, used by more than 1,000 dealerships in the United States, stores personal and financial data, vehicle telematics, and tools for pairing cars with mobile apps for remote functions.
“The login process had insecure code that let me bypass authentication and gain ‘national admin’ privileges,” Zveare said. “From there, I could track vehicles, transfer ownership in the system, or even unlock a car’s doors.”
To illustrate the risk, Zveare said he used a vehicle identification number to identify an owner and, with a friend’s consent, reassigned the vehicle to an account he controlled. “All it took was checking a box saying I was legitimate,” he said.
Zveare told TechCrunch the portal’s interconnected systems and single sign-on features also gave access to other dealership tools, including a user impersonation function, a capability he has seen in other automaker portals.
He said the vulnerabilities were reported in February 2025 and “were fixed within a week.” The carmaker, which TechCrunch did not name, found no evidence of prior exploitation.
