techcrunch.com - Security researcher Eaton Zveare told TechCrunch that the flaws he discovered in the carmaker's centralized dealer portal exposed vast access to customer and vehicle data. With this access, Zveare said he could remotely take over a customer's account and unlock their cars, and more.
A security researcher said flaws in a carmaker’s online dealership portal exposed the private information and vehicle data of its customers, and could have allowed hackers to remotely break into any of its customers’ vehicles.
Eaton Zveare, who works as a security researcher at software delivery company Harness, told TechCrunch the flaw he discovered allowed the creation of an admin account that granted “unfettered access” to the unnamed carmaker’s centralized web portal.
With this access, a malicious hacker could have viewed the personal and financial data of the carmaker’s customers, tracked vehicles, and enrolled customers in features that allow owners — or the hackers — to control some of their cars’ functions from anywhere.
Zveare said he doesn’t plan on naming the vendor, but said it was a widely known automaker with several popular sub-brands.
In an interview with TechCrunch ahead of his talk at the Def Con security conference in Las Vegas on Sunday, Zveare said the bugs put a spotlight on the security of these dealership systems, which grant their employees and associates broad access to customer and vehicle information.
Zveare, who has found bugs in carmakers’ customer systems and vehicle management systems before, found the flaw earlier this year as part of a weekend project, he told TechCrunch.
He said while the security flaws in the portal’s login system was a challenge to find, once he found it, the bugs let him bypass the login mechanism altogether by permitting him to create a new “national admin” account.
The flaws were problematic because the buggy code loaded in the user’s browser when opening the portal’s login page, allowing the user — in this case, Zveare — to modify the code to bypass the login security checks. Zveare told TechCrunch that the carmaker found no evidence of past exploitation, suggesting he was the first to find it and report it to the carmaker.
When logged in, the account granted access to more than 1,000 of the carmakers’ dealers across the United States, he told TechCrunch.
“No one even knows that you’re just silently looking at all of these dealers’ data, all their financials, all their private stuff, all their leads,” said Zveare, in describing the access.
Zveare said one of the things he found inside the dealership portal was a national consumer lookup tool that allowed logged-in portal users to look up the vehicle and driver data of that carmaker.
In one real-world example, Zveare took a vehicle’s unique identification number from the windshield of a car in a public parking lot and used the number to identify the car’s owner. Zveare said the tool could be used to look up someone using only a customer’s first and last name.
With access to the portal, Zveare said it was also possible to pair any vehicle with a mobile account, which allows customers to remotely control some of their cars’ functions from an app, such as unlocking their cars.
Zveare said he tried this out in a real-world example using a friend’s account and with their consent. In transferring ownership to an account controlled by Zveare, he said the portal requires only an attestation — effectively a pinky promise — that the user performing the account transfer is legitimate.
“For my purposes, I just got a friend who consented to me taking over their car, and I ran with that,” Zveare told TechCrunch. “But [the portal] could basically do that to anyone just by knowing their name — which kind of freaks me out a bit — or I could just look up a car in the parking lots.”
Zveare said he did not test whether he could drive away, but said the exploit could be abused by thieves to break into and steal items from vehicles, for example.
Another key problem with access to this carmaker’s portal was that it was possible to access other dealer’s systems linked to the same portal through single sign-on, a feature that allows users to log in to multiple systems or applications with just one set of login credentials. Zveare said the carmaker’s systems for dealers are all interconnected so it’s easy to jump from one system to another.
With this, he said, the portal also had a feature that allowed admins, such as the user account he created, to “impersonate” other users, effectively allowing access to other dealer systems as if they were that user without needing their logins. Zveare said this was similar to a feature found in a Toyota dealer portal discovered in 2023.
techcrunch.com - Google’s AI-powered bug hunter has just reported its first batch of security vulnerabilities.
Heather Adkins, Google’s vice president of security, announced Monday that its LLM-based vulnerability researcher Big Sleep found and reported 20 flaws in various popular open source software.
Adkins said that Big Sleep, which is developed by the company’s AI department DeepMind as well as its elite team of hackers Project Zero, reported its first-ever vulnerabilities, mostly in open source software such as audio and video library FFmpeg and image-editing suite ImageMagick.
Given that the vulnerabilities are not fixed yet, we don’t have details of their impact or severity, as Google does not yet want to provide details, which is a standard policy when waiting for bugs to be fixed. But the simple fact that Big Sleep found these vulnerabilities is significant, as it shows these tools are starting to get real results, even if there was a human involved in this case.
“To ensure high quality and actionable reports, we have a human expert in the loop before reporting, but each vulnerability was found and reproduced by the AI agent without human intervention,” Google’s spokesperson Kimberly Samra told TechCrunch.
Royal Hansen, Google’s vice president of engineering, wrote on X that the findings demonstrate “a new frontier in automated vulnerability discovery.”
LLM-powered tools that can look for and find vulnerabilities are already a reality. Other than Big Sleep, there’s RunSybil and XBOW, among others.
techcrunch.com 24.07 - "We're getting a lot of stuff that looks like gold, but it's actually just crap,” said the founder of one security testing firm. AI-generated security vulnerability reports are already having an effect on bug hunting, for better and worse.
So-called AI slop, meaning LLM-generated low-quality images, videos, and text, has taken over the internet in the last couple of years, polluting websites, social media platforms, at least one newspaper, and even real-world events.
The world of cybersecurity is not immune to this problem, either. In the last year, people across the cybersecurity industry have raised concerns about AI slop bug bounty reports, meaning reports that claim to have found vulnerabilities that do not actually exist, because they were created with a large language model that simply made up the vulnerability, and then packaged it into a professional-looking writeup.
“People are receiving reports that sound reasonable, they look technically correct. And then you end up digging into them, trying to figure out, ‘oh no, where is this vulnerability?’,” Vlad Ionescu, the co-founder and CTO of RunSybil, a startup that develops AI-powered bug hunters, told TechCrunch.
“It turns out it was just a hallucination all along. The technical details were just made up by the LLM,” said Ionescu.
Ionescu, who used to work at Meta’s red team tasked with hacking the company from the inside, explained that one of the issues is that LLMs are designed to be helpful and give positive responses. “If you ask it for a report, it’s going to give you a report. And then people will copy and paste these into the bug bounty platforms and overwhelm the platforms themselves, overwhelm the customers, and you get into this frustrating situation,” said Ionescu.
“That’s the problem people are running into, is we’re getting a lot of stuff that looks like gold, but it’s actually just crap,” said Ionescu.
Just in the last year, there have been real-world examples of this. Harry Sintonen, a security researcher, revealed that the open source security project Curl received a fake report. “The attacker miscalculated badly,” Sintonen wrote in a post on Mastodon. “Curl can smell AI slop from miles away.”
In response to Sintonen’s post, Benjamin Piouffle of Open Collective, a tech platform for nonprofits, said that they have the same problem: that their inbox is “flooded with AI garbage.”
One open source developer, who maintains the CycloneDX project on GitHub, pulled their bug bounty down entirely earlier this year after receiving “almost entirely AI slop reports.”
The leading bug bounty platforms, which essentially work as intermediaries between bug bounty hackers and companies who are willing to pay and reward them for finding flaws in their products and software, are also seeing a spike in AI-generated reports, TechCrunch has learned.
techcrunch.com - Google has suspended the account of phone surveillance operator Catwatchful, which was using the tech giant’s servers to host and operate the monitoring software.
Google’s move to shut down the spyware operation comes a month after TechCrunch alerted the technology giant the operator was hosting the operation on Firebase, one of Google’s developer platforms. Catwatchful relied on Firebase to host and store vast amounts of data stolen from thousands of phones compromised by its spyware.
“We’ve investigated these reported Firebase operations and suspended them for violating our terms of service,” Google spokesperson Ed Fernandez told TechCrunch in an email this week.
When asked by TechCrunch, Google would not say why it took a month to investigate and suspend the operation’s Firebase account. The company’s own terms of use broadly prohibit its customers from hosting malicious software or spyware operations on its platforms. As a for-profit company, Google has a commercial interest in retaining customers who pay for its services.
As of Friday, Catwatchful is no longer functioning nor does it appear to transmit or receive data, according to a network traffic analysis of the spyware carried out by TechCrunch.
Catwatchful was an Android-specific spyware that presented itself as a child-monitoring app “undetectable” to the user. Much like other phone spyware apps, Catwatchful required its customers to physically install it on a person’s phone, which usually requires prior knowledge of their passcode. These monitoring apps are often called “stalkerware” (or spouseware) for their propensity to be used for non-consensual surveillance of spouses and romantic partners, which is illegal.
Once installed, the app was designed to stay hidden from the victim’s home screen, and upload the victim’s private messages, photos, location data, and more to a web dashboard viewable by the person who planted the app.
TechCrunch first learned of Catwatchful in mid-June after security researcher Eric Daigle identified a security bug that was exposing the spyware operation’s back-end database.
The bug allowed unauthenticated access to the database, meaning no passwords or credentials were needed to see the data inside. The database contained more than 62,000 Catwatchful customer email addresses and plaintext passwords, as well as records on 26,000 victim devices compromised by the spyware.
The data also exposed the administrator behind the operation, a Uruguay-based developer called Omar Soca Charcov. TechCrunch contacted Charcov to ask if he was aware of the security lapse, or if he planned to notify affected individuals about the breach. Charcov did not respond.
With no clear indication that Charcov would disclose the breach, TechCrunch provided a copy of the Catwatchful database to data breach notification service Have I Been Pwned.
Catwatchful is the latest in a long list of surveillance operations that have experienced a data breach in recent years, in large part due to shoddy coding and poor cybersecurity practices. Catwatchful is by TechCrunch’s count the fifth spyware operation this year to have spilled users’ data, and the most recent entry in a list of more than two-dozen known spyware operations since 2017 that have exposed their banks of data.
As we noted in our previous story: Android users can identify if the Catwatchful spyware is installed, even if the app is hidden, by dialing 543210 into your Android phone app’s keypad and pressing the call button.
