Security News > 2023 > February > Researcher breaches Toyota supplier portal with info on 14,000 partners

Researcher breaches Toyota supplier portal with info on 14,000 partners
2023-02-07 15:58

Toyota's Global Supplier Preparation Information Management System was breached by a security researcher who responsibly reported the issue to the company.

The issues were responsibly disclosed to Toyota on November 3, 2022, and the Japanese car maker confirmed they had been fixed by November 23, 2022.

Toyota did not compensate the researcher for responsibly disclosing the discovered vulnerabilities.

If someone could guess a valid email address of a Toyota employee, they could generate a valid JWT. Simply Googling Toyota employees or performing OSINT on LinkedIn would be enough to find or formulate an email address, which is the pathway the researcher took for the intrusion, finding a regional admin account.

In October 2022, Toyota customers suffered a data breach after a contractor developing Toyota T-Connect, the brand's official connectivity app, left a GitHub repository containing client data publicly exposed.

In January 2023, a security researcher published the details of multiple API security flaws impacting several automakers, including Toyota, which could potentially expose owner details.


News URL

https://www.bleepingcomputer.com/news/security/researcher-breaches-toyota-supplier-portal-with-info-on-14-000-partners/