Toyota’s Global Supplier Readiness Information Management System (GSPIMS) was hacked by a security researcher who responsibly reported the issue to the company.

GSPIMS is the automaker’s web-based application that allows employees and suppliers to remotely connect and manage the company’s global supply chain.

The security researcher, who posts under the pseudonym EatonWorks, discovered a ‘backdoor’ in Toyota’s system that allowed anyone to access an existing user account as long as they knew their email address .

During a penetration test, the researcher discovered that he could freely access thousands of confidential documents, internal projects, supplier information, etc.

The issues were responsibly reported to Toyota on November 3, 2022, and the Japanese automaker confirmed they were resolved by November 23, 2022.

EatonWorks published a detailed article on findings today after 90 days of disclosure process.

Toyota has not compensated the researcher for responsibly disclosing the discovered vulnerabilities.

Violate Toyota

Toyota’s GSPIMS application is built on the Angular JavaScript framework and uses specific routes and functions to determine which users can access which pages.

The researcher discovered that by modifying the JavaScript of these functions so that they return “true” values, he could unlock access to the application.

Patch Angular functions
Patch Angular functions (EatonWorks)

However, while the app was now loaded, it did not show any data because the researcher was not authenticated with the app.

The analyst quickly discovered that the service generated a JSON Web Token (JWT) for passwordless login based on the user’s email address. Therefore, if someone could guess a valid email address of a Toyota employee, they could generate a valid JWT.

Acquiring a Valid JWT
Acquiring a Valid JWT (EatonWorks)

It would be enough to google Toyota employees or perform OSINT on LinkedIn to find or formulate an email address, which is the route taken by the researcher for the intrusion, by finding a regional administrator account.

From there, EatonWorks transitioned to a system administrator account by exploiting an information disclosure flaw in the system’s API. After that, the researcher simply upgraded to a more privileged account by finding and using a system administrator’s email address.

Full access to classified documents

A system administrator on GSPIMS can access sensitive information such as classified documents, project schedules, vendor rankings and user data for 14,000 users.

For each of them, the admin can access their projects, tasks and surveys, edit user details, modify or delete data, add redundant backdoor users or set the stage for a targeted phishing campaign .

Toyota internal documents
Toyota internal documents (EatonWorks)

The most unpleasant aspect of this attack is that a malicious actor could have silently accessed Toyota’s system and then copied data without modifying anything, which keeps the probability of discovery very low.

It’s impossible to determine if something like this has ever happened, but there hasn’t been a massive Toyota data leak, so it’s assumed EatonWorks was the first to find the login bypass flaw. .

This disclosure follows a series of breaches, data leaks and other vulnerabilities discovered over the past year.

In February 2022, the Japanese automaker announced that it was forced to stop car production operations due to a cyberattack against one of its suppliers, Kojima Industries.

In October 2022, Toyota customers suffered a data breach after a contractor developing Toyota T-Connect, the brand’s official connectivity app, left behind a GitHub repository containing customer data. publicly exposed.

In January 2023, a security researcher published the details of several API security vulnerabilities affecting several automakers, including Toyota, which could potentially reveal owner details.

Source link