A vulnerability in the Tesla Retail Tool (TRT) application allowed a researcher to take over the accounts of former employees.
Designed with support for both employee and vendor logins, TRT stores various types of enterprise information, including financial information, details on Tesla locations, contact information, building plans, network circuit details, and details on local, ISP, and utility account logins.
The application allows both internal and external account logins and uses for authentication a JSON Web Token (JWT) that specifies an email address cleared for manually defined user accounts, security researcher Evan Connelly explains.
“At Tesla’s scale, it would be hard to manually update that list every time an employee leaves. And in theory, it should be okay if past employees have access defined within a web app, as their IDP account would be disabled or deleted and thus unable to login to the app through Tesla’s internal IDP,” Connelly notes.
The researcher discovered not only that accounts of past employees were still lurking in Tesla’s internal systems, but also that it was possible to register an external account with the internal email of a former employee, and then access TRT with the privileges of that employee’s account.
After searching online for former Tesla employees who might have had access to TRT, the researcher was able to use their internal Tesla email addresses to register external accounts that allowed him to access the TRT.
Because account privileges were defined by email address, Connelly could log into TRT with the privileges of the disabled accounts, essentially taking over those accounts.
The issue, Connelly explains, was that TRT was created with support for both an internal and an external identity provider, but it did not check which of the providers the user logged in with.
The researcher reported the vulnerability to Tesla on November 19, 2022, through the company’s bug bounty program on Bugcrowd. The flaw was addressed within two days.
It’s unclear how much Connelly earned for his findings, but Tesla assigned the vulnerability a P1 priority rating, for which the carmaker typically pays between $3,000 and $15,000.
Related: Tesla Hacked Twice at Pwn2Own Exploit Contest
Related: German Consumer Group Sues Tesla Over Privacy, Climate
Related: Researcher Shows How Tesla Key Card Feature Can Be Abused to Steal Cars