Toyota Customer 360, a web application that aggregates customer data from across the organization, has been found to have a severe vulnerability that allowed a security researcher to access the personal information of Toyota customers in Mexico.
The researcher discovered that Toyota had deployed five versions of the platform, and he was able to modify the development app to access production data.
Once the researcher achieved access to the application, he could search for customer data by name, phone number, ID, or email address. The car maker resolved the vulnerability less than three weeks after it was reported by the researcher.
The security vulnerability in Toyota Customer 360 allowed a researcher to bypass authentication in the application and access customer data, including names, addresses, phone numbers, email addresses, vehicle history, purchase and service data, and tax ID.
Toyota had deployed five versions of the platform, and the researcher was able to modify the development app to access production data. Once access to the application was achieved, the researcher could search for customer data by name, phone number, ID, or email address.
According to the researcher, the APIs in Toyota’s production and QA endpoints did not require an authentication token and were exposed across all environments after being included in the dev app.
While locking down the production application should have provided protection, it was possible to access production data with the login bypass and API change in place.
Toyota resolved the vulnerability less than three weeks after it was reported by the researcher, taking some of the sites offline and updating the APIs to require an authentication token.
A month ago, the same researcher disclosed an issue in Toyota’s global supplier management network web portal, which allowed him to access thousands of user accounts and exfiltrate and tamper with sensitive data. Toyota’s response to this issue is not mentioned in the article.