Connect with us

Hi, what are you looking for?



Tesla Retail Tool Vulnerability Led to Account Takeover

A vulnerability in Tesla’s Retail Tool application allowed a researcher to take over accounts of former employees.

A vulnerability in the Tesla Retail Tool (TRT) application allowed a researcher to take over the accounts of former employees.

Designed with support for both employee and vendor logins, TRT stores various types of enterprise information, including financial information, details on Tesla locations, contact information, building plans, network circuit details, and details on local, ISP, and utility account logins.

The application allows both internal and external account logins and uses for authentication a JSON Web Token (JWT) that specifies an email address cleared for manually defined user accounts, security researcher Evan Connelly explains.

“At Tesla’s scale, it would be hard to manually update that list every time an employee leaves. And in theory, it should be okay if past employees have access defined within a web app, as their IDP account would be disabled or deleted and thus unable to login to the app through Tesla’s internal IDP,” Connelly notes.

The researcher discovered not only that accounts of past employees were still lurking in Tesla’s internal systems, but also that it was possible to register an external account with the internal email of a former employee, and then access TRT with the privileges of that employee’s account.

After searching online for former Tesla employees who might have had access to TRT, the researcher was able to use their internal Tesla email addresses to register external accounts that allowed him to access the TRT.

Because account privileges were defined by email address, Connelly could log into TRT with the privileges of the disabled accounts, essentially taking over those accounts.

Advertisement. Scroll to continue reading.

The issue, Connelly explains, was that TRT was created with support for both an internal and an external identity provider, but it did not check which of the providers the user logged in with.

The researcher reported the vulnerability to Tesla on November 19, 2022, through the company’s bug bounty program on Bugcrowd. The flaw was addressed within two days.

It’s unclear how much Connelly earned for his findings, but Tesla assigned the vulnerability a P1 priority rating, for which the carmaker typically pays between $3,000 and $15,000. 

Related: Tesla Hacked Twice at Pwn2Own Exploit Contest

Related: German Consumer Group Sues Tesla Over Privacy, Climate

Related: Researcher Shows How Tesla Key Card Feature Can Be Abused to Steal Cars

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.