A security researcher discovered a serious security vulnerability that risked Toyota’s suppliers’ and users’ data. Specifically, he noticed a backdoor in the Toyota supplier management network exposing sensitive details. Following his report, Toyota promptly addressed the issue, preventing any malicious exploit.
Toyota Supplier Management Network Backdoor Exposed Sensitive Data
The researcher Eaton Zveare has recently shared details about a backdoor in the supplier management network that risked the security of Toyota suppliers.
As explained in his post, the backdoor existed in Toyota’s Global Supplier Preparation Information Management System (GSPIMS), exploiting which could allow an attacker to access sensitive details of the firm’s suppliers and other users.
Briefly, while scanning the Toyota website’s subdomains, he noticed that he could sign in to the GSPIMS app as any supplier or corporate user via the email address.
With some effort, such as patching the Angular route guards CanActivate
and CanActivateChild
to return true
and removing the logout code on the web page’s source code, Zveare accessed the app using a system admin’s email address.
Scanning the code further made him realize the glitch. The app generated a JSON Web Token (JWT) based on the provided email only, without requiring a password. Since he had logged in with a system admin email, he eventually got (what he called) ‘total, global control’ over the system.
With such explicit access, he could view the details of over 14,000 users, details of all of Toyota’s inactive, active, and global projects (with codenames), project schedules, confidential documents, and details about 3000 Toyota’s suppliers.
In his post, the researcher shared the technical details of this vulnerability, along with screenshots.
Toyota Addressed The Unwarranted Data Exposure
While examining the supplier management network, the researcher ensured not to modify any information that could trouble Toyota.
After confirming the backdoor, he reported the matter to the firm, and the firm promptly fixed the glitch. Explaining the patch, the researcher stated,
Toyota/SHI fixed the issue by making the
createJWT
andfindByEmail
endpoints return HTTP status 400 – Bad Request in all cases.
Besides confirming the fix, the researcher appreciated Toyota’s prompt action to address the flaw.
Let us know your thoughts in the comments.