Photo by sippakorn yamkasikorn on Unsplash
Imagine you’re walking through a parking lot. You jot down a car’s VIN from the windshield. A few minutes later, you’ve got access to the owner’s personal data — and, with a few clicks, you could unlock their car. Sounds like a thriller movie plot, right? Except it’s not fiction.
This is what Eaton Zveare, a security researcher at software company Harness, discovered earlier this year while poking around a carmaker’s web portal — just for fun.
A Bug Hunt That Got Way Too Real
Photo by Christina @ wocintechchat.com on Unsplash
Zveare, who’s known for uncovering vulnerabilities in major automotive portals, found some serious security issues in a popular (but unnamed) automaker’s web system. While working on a weekend project, he stumbled onto a login flaw that let him bypass security and create an all-powerful “national admin” account.
With that, he had full control. And we mean full. According to Zveare, this included:
- Access to over 1,000 car dealerships across the U.S.
- Customer personal and financial data
- Real-time vehicle tracking
- The ability to unlock or pair cars to remote access apps with minimal proof
And he never even had to know a password.
How the Portal Got Owned
Let’s break it down. The web portal’s login code ran in the browser. Zveare realized he could manipulate that code to skip login checks entirely. Once “in,” his newly-created admin account had the keys to the kingdom.
There was even a consumer lookup tool built into the portal. With just a VIN or a common name, anyone logged in could access sensitive vehicle and driver data.
In a real-world example, Zveare used a VIN from a car parked in public. With the portal, he could instantly find the owner’s information. Just like that.
From Logging In to Unlocking Cars
Photo by Axel Antas-Bergkvist on Unsplash
The scariest part? Pairing a car with a mobile account — the kind that lets you control stuff like locks — was absurdly easy.
Zveare tried it using a friend’s account (with consent). All the system asked for was a simple attestation. Not verification. No real proof. Just a “promise” that he was authorized. Once paired, the car was his to control remotely.
“Basically, [the system] could do that to anyone just by knowing their name,” he said. “Which kind of freaks me out a bit.”
Same here.
More Than Just One Door Left Open
Zveare found the whole dealer system was interconnected. With the admin account, he could impersonate any other user. No logins required. That opened even more doors into internal systems, sensitive financial data, and live vehicle shipping information.
It mirrored a similar flaw he found in a Toyota dealership portal in 2023. The lesson? These backend dealership systems aren’t just full of data; they’re also riddled with holes.
“They’re just security nightmares waiting to happen,” he said.
What Happened After the Discovery?
Once he reported the issue, the carmaker (still unnamed) patched the vulnerabilities in about a week — in February 2025. There’s no evidence the flaw had been used maliciously before Zveare stepped in.
But here’s the thing: Only two small API vulnerabilities led to the entire breach. Two.
“It’s always related to authentication,” Zveare said. “If you’re going to get those wrong, then everything just falls down.”
Big Takeaway for the Rest of Us
This wasn’t a high-tech cyberattack or an elite espionage act. It was a single researcher with curiosity and browser tools — and that should concern all of us.
If a glitch in a carmaker’s dealership portal can lead to unauthorized remote access to your car, privacy needs a serious tune-up.
Whether you’re building web apps or driving a connected car, this story is a strong reminder: security starts with the basics — and failing at authentication is like forgetting to lock your front door.
Stay aware, stay safe.
— Written for Yugto.io, where curiosity meets code.
Keywords: car, security, hacker, vulnerabilities, unlock, remotely
