A security researcher has claimed to have gained access to sensitive information associated with around 3,000 suppliers and 14,000 users worldwide by compromising Toyota’s supplier management network.
How the Hacker Gained Access
Eaton Zveare exploited a vulnerability in a web application used by Toyota employees and suppliers to coordinate projects, which contained details about parts, surveys, and purchases. Notable partners and suppliers found on the system included Michelin, Continental, and Stanley Black & Decker.
Zveare was able to access Toyota’s Global Supplier Preparation Information Management System (GSPIMS) as a system administrator through a backdoor in the login mechanism. Zveare described the security hole, which Toyota quickly patched, as “one of the most severe vulnerabilities I have ever found”.
The exploit began by patching the JavaScript code in the Angular single-page application created by SHI International Corp on behalf of Toyota. Zveare leveraged the backdoor via a createJWT HTTP request, which surrendered a JSON Web Token with an email but no password. The createJWT API was used for an ‘Act As’ feature that allowed high privileged users to log in as any global user.
Finding a valid email only required a little research of Toyota personnel, since Toyota used a predictable email format in North America (firstname.lastname@toyota.com). Once logged in as a user with a ‘Mgmt – Purchasing’ role, Zveare eventually gained SysAdmin access by finding a rolePrivileges node in the user/details API response and then a findByEmail API endpoint that detailed a user’s managers.
Consequences of the Hack
Zveare noted that an attacker with access to the GSPIMS could have deleted, modified, or leaked sensitive data, and abused the data to craft spear phishing campaigns. The attacker could have also “added their own user account with an elevated role, to retain access should the issue ever be discovered and fixed”.
Zveare alerted Toyota to the vulnerability on November 3, 2022, and Toyota responded the same day before confirming on November 23 that the issue had been fixed. Toyota and SHI fixed the issue by making the createJWT and findByEmail endpoints return ‘HTTP status 400 – Bad Request’ in all cases.
Zveare told The Daily Swig, “I was glad Toyota recognized the severity of the issue and quickly fixed it. Toyota is a huge corporation and it seems like their security team is set up to efficiently address vulnerabilities across all aspects of the company”. Zveare added, “A bounty payment would have been nice, but they did not offer one in this case. I hope they will consider changing this in the future. Recognition is always appreciated, but offering rewards is how you attract top talent and keep exploits off the black market.”
Conclusion
The recent security breach at Toyota serves as a reminder of the importance of implementing robust security measures to protect sensitive information in the digital age. The swift response of Toyota’s security team shows that they take cybersecurity seriously and are committed to ensuring the safety and security of their networks and data.