A security researcher discovered a vulnerability in Tesla’s Retail Tool (TRT) application that allowed them to take over the accounts of former employees. TRT stores enterprise information, including financial details, contact information, building plans, and network circuit details. The application allows both internal and external account logins, using a JSON Web Token for authentication.
The researcher found that TRT still had accounts of past employees in Tesla’s internal systems, which allowed them to register an external account using a former employee’s internal email address and access TRT with their privileges.
Because account privileges were defined by email address, the researcher could take over disabled accounts. The vulnerability was caused by TRT’s support for both internal and external identity providers without checking which provider the user logged in with.
Tesla addressed the vulnerability within two days after the researcher reported it through the company’s bug bounty program on Bugcrowd. The severity of the flaw was assigned a P1 priority rating, which Tesla typically pays between $3,000 and $15,000 for.
It is unknown how much the researcher earned for their findings. Tesla explained that it is difficult to manually update the list of users who have access to the app after an employee leaves the company.
This incident highlights the importance of regularly reviewing access privileges to internal systems and applications, especially after an employee leaves an organization. Companies should also consider implementing security measures to prevent unauthorized access by former employees.
Organizations can learn from Tesla’s swift response to this vulnerability by having a bug bounty program in place to identify and address security flaws.
