Imagine that it is enough to look at the windshield of a car to score its frame number – a 17 -character code visible from outside – introduce it into an internal tool, find out the name of the owner and link that vehicle to a mobile account. From there, you could unlock the doors remote from an official app, without touching a lock or forcing anything.
That is fair what a cybersecurity researcher demonstrated After accessing the internal portal used by the dealers of a large car brand. We do not talk about an attack on users or public servants, but about a gap on the business platform that connects the manufacturer with its sales network. A rear door with access to connected functions and personal data.
The failure was not in the car, but in the chain that unites everything
Behind this finding is Eaton Zveare, who has been tracking vulnerabilities into digital platforms of large brands, especially of the automobile sector. This time it was no different. Zveare discovered that the internal web portal of a known car brand It allowed to modify the behavior of the system from the browser itself. Specifically, it managed to alter the login page code to skip security checks and create an administrator account with national privileges. With that account, access covered more than 1,000 concessionaires in the United States.
From there, the problem dimension changed completely. It was not just about accessing internal resources of a concessionaire. The account he managed to generate gave access to the complete system: I could see the data of all the concessionaires connected, act in the name of other users without knowing their credentials and, the most delicate, accessing tools that allowed them to consult information about vehicles and their owners. All that from a platform that, in theory, is reserved for professionals in the sector.
Zveare did not force anything, did not installed any malicious software or attacked from the outside. What he found was a badly closed door within a legitimate system. And the most worrying thing is that this door not only allowed him to enter: he offered, from within, a set of tools that nobody outside the manufacturer should control so easily.
In the United States, the laws that regulate the sale of vehicles vary by state, but share a common principle: in most of them, Manufacturers cannot sell new cars directly to the consumer. They are obliged to do so through independent dealers, legally protected against direct competition of the manufacturer. That has given rise to a franchised network structure that groups thousands of points of sale and after -sales.
Tesla has tried to uncheck that model and sell directly, but it has not been easy. Although he has achieved it in some states, in many others he continues to find legal restrictions that prevent him from selling or even delivering vehicles directly. Your case is the most visible exception, but not the norm.
The most delicate is not that this system showed confidential information. The serious thing is that it allowed to act with high privileges, as if one is part of the official structure of the manufacturer. From there, it was possible to assume identities of other employees, intervene on registered vehicles anywhere in the country or access functions designed exclusively for authorized technicians.
The portal was designed to give agility to the dealer network, not to resist malicious access from within
As we say above, each car has a unique frame number. It is a code of 17 characters – right and numbers – that serves to legally identify it throughout the world.
What the average driver probably does not imagine is that this code is visible from the outside, at the base of the windshield, and that in the context of this case it was the entrance key. In a real test, Zveare introduced a visible vin from the outside and obtained the name of the owner. From the portal it was also possible to match the vehicle to a new mobile account.
Zveare did not try to drive any vehicles or alter its physical configuration. But with the control that I had, open it at a distance and empty its interior would have been perfectly possible.
Today, The name of the affected manufacturer has not been made public. And it’s not because nobody knows. The researcher who discovered vulnerability, does know what brand he was behind the committed portal, but has decided not to mention it in his report or during his defense presentation. Nor Techcrunch, the first medium that echoed the case, has revealed the identity of the manufacturer.
It is not something so unusual. In some cases, researchers choose to maintain the anonymity of the company involved by prudence, even when vulnerability has already been corrected to avoid putting third parties at risk: concessionaires, employees or customers who still depend on that system. It can also influence the fact that the compromised platform gave access to entire networks, not an isolated server.
Images | Xataka with Gemini 2.5 Flash
In Xataka | Bugatti decided not to put speakers in a car of four million euros. His secret is a technique of 1881
GIPHY App Key not set. Please check settings