Zveare accessed customers’ names, addresses, phone numbers, email addresses and tax IDs as well as vehicle, service and ownership history for an unknown number of Toyota customers in Mexico. He bypassed the automaker’s corporate login screen and modified the application’s development environment. That is where testing of the application’s functions occurs before it goes live.
Toyota told Automotive News in an email that it “takes cyber threats very seriously” and “promptly remediated the reported vulnerability.”
The automaker said there was no evidence of malicious access to Toyota systems and that it appreciated the research performed by Zveare. It invited other hackers to partner by visiting its security vulnerability disclosure program at HackerOne.
Toyota’s C360 application aggregates data about customers from across the company. In a single view, an employee can see a customer’s name, address, contact information, gender and interactions with the company. This information includes purchase history, billing, service issues, social presence and channel preferences.
Businesses can use this data to inform engagement strategies, customer journey steps, communications, personalized offers and deliveries, Zveare wrote in a blog post outlining the hack.
The vulnerability cropped up in the application programing interface, a piece of software code that is connected to a web server. The API allows web-based applications and Internet-connected objects that operate off different software to communicate with each other and exchange data to operate efficiently. When the API of one server communicates with another server, the endpoint of the API specifies where data can be accessed by another API. An endpoint can include a URL of a server or service.
“Toyota likely believed no one would find the production API endpoint since the production app was locked down, but it looks like their developers included it in the dev app,” Zveare said. “There is nothing wrong with enhancing an app’s loading experience,” but in this case, it created a security vulnerability.
Developers of Toyota’s application likely did this to make the application load faster, Zveare said.
Toyota’s customer information was exposed because the application’s settings did not have to be authenticated as well.
“Toyota fixed the issue by taking some of the sites offline and updating the APIs to require an authentication token,” Zveare said. “Basically a day after I reported the issue to Toyota, they took all the sites offline. I was impressed by how quickly they reacted.”
Toyota likely spent the next few weeks making necessary security improvements and ensuring no one maliciously accessed any customer information, Zveare said.
Toyota did not issue an advisory about the breach because it was likely no malicious access was found, Zveare said.
In a separate hack in November, Zveare breached an application used by Toyota’s employees and suppliers. No customer data was exposed in that hack, but read-and-write access to 14,000 corporate email accounts, associated confidential documents, projects, supplier rankings, comments and other information was accessible.