A security researcher said he discovered a back door in the code of a public facing Toyota web application that gave him access to information on more than 14,000 corporate user accounts and detailed information on Toyota’s suppliers — and even the parts that make up Toyota vehicles.
Researcher Eaton Zveare described in a post on Wednesday the discovery of a serious flaw in Toyota’s Global Supplier Preparation Information Management System (or “GSPIMS”), a web application that Toyota uses to coordinate projects, parts, surveys, purchases, and other tasks related to the company’s global supply chain. The incident was reported to Toyota in November and has been patched, Zveare said.
It is just the latest to expose weaknesses in the company’s cybersecurity. In March 2022, Toyota had to halt domestic production of vehicles after a key supplier of plastic parts was hit with what appeared to be a ransomware attack. Then, in October, the company revealed that an access key in a public GitHub code repository exposed personal information on more than 250,000 users of its T-Connect telematics service for more than five years.
Poking subdomains for fun and profit
Zveare said he discovered the flaw after perusing Toyota subdomains in October, 2022, looking for exploitable flaws. While the purpose of the GSPIMS subdomain wasn’t initially clear, Zveare said the web application was created using the Angular web development framework.
The researcher used a well-known Angular workaround to manipulate the Javascript of the GSPIMS website to bypass the initial login screen and gain access to the GSPIMS system. Once inside, Zveare analyzed the application’s code and discovered a reference to a JWT, or JsonWebToken. JWTs are signed credentials that are often created when users authenticate with a valid user identity and password. They allow application users to access sensitive information via API or in secured areas of a web application without having to re-authenticate.
No password needed: Valid email cracks Toyota supply chain
Zveare’s analysis, however, revealed the function he discovered appeared to return a JWT with nothing more than a valid Toyota email address — no password required. It was linked to a custom “Act As” function designed to allow one user to use the GSPIMS with the privileges of another user — a feature that unwittingly opened a huge back door to the application.
After divining the correct email for a Toyota employee involved in purchasing (Toyota uses a standard format for employees’ email addresses), he found that he had read/write access to the global user directory containing more than 14,000 users' account details, confidential documents, projects, supplier rankings/comments, and more across Toyota’s global operations.
By analyzing HTTP requests from the app using Fiddler HTTP proxy, Zveare was able to identify other, vulnerable APIs used by the GSPIMS application. Those gave him access to a wealth of information including user accounts as well as a list of the given user’s managers, allowing him to map out the reporting structure. By adopting a System Admin JWT, he found he was able to exercise “total, global control over the entire system,” including a Parts section of the GSPIMS application that listed parts associated with various “projects” and the affiliate/supplier. Also included: internal and confidential Toyota comments and reviews about their suppliers, he said.
Supply chain police: Round up the usual suspects
The incident underscores a number of ongoing issues plaguing companies across industries. Among them: porous and leaky APIs (application program interfaces) and user authentication, allowing attackers to sidestep strong authentication features like two factor authentication, or in this case, even passwords.
The incident also underscores the difficulty organizations have spotting problematic code, absent identifiable vulnerabilities. The “Act As” functionality clearly escaped the notice of Toyota’s application security team. Furthermore, Zveare probing the application and bypassing of authentication did not result in his session being terminated or the application being locked down.
"The vulnerability of the GSPIMS system is yet another example of an application doing what it is supposed to do...but also doing things it was not intended to do," said Matt Rose, a Field CISO at ReversingLabs.
"This is is why software supply chain security (SSCS) needs to be attuned to both known vulnerabilities and application behaviors and their potential risk. Toyota's application security team did not find this back door because they did not analyze the potential risk associated with the the "Act As" functionality behavior of the application," Rose said.
A culture of insecurity?
Finally, there is the “culture of security” matter. While Zveare notes that Toyota was prompt in fixing the issue he supported, the company offered him no compensation for his work and it is unclear whether an official company bug bounty exists that has the GSPIMS application “in scope.”
Zveare notes that, despite practicing proper disclosure and saving the company from a potentially catastrophic leak, “the reward for reporting this critical issue was $0.” That’s a big disincentive to pour more time and effort into probing the security of Toyota’s infrastructure, he notes. That means other, exploitable application flaws may go undetected — at least by “white hat” researchers like Zveare.
“While it’s fun to find significant vulnerabilities like these, I will probably start shifting my efforts to companies offering monetary rewards help to sustain these often-lengthy investigations and write-ups,” Zveare wrote.
Clarification: an earlier version of this blog post quoted Mr. Zveare saying he believed that the consulting firm SHI developed the GSPIMS application based on a license key found in the JavaScript code for the application. However, Mr. Zveare now claims that SHI has confirmed they did not develop the GSPIMS application and merely sold Toyota the license key in question.
