Major flaws found in VW’s connected car app
Personal data exposed
A cyber researcher has found significant flaws in the My Volkswagen app, exposing personal details, passwords and even credentials for third-party services.
Vishal Bhaskar first found the flaws after purchasing a used Volkswagen last year and trying to register his vehicle with VW’s connected car service.
However, the one-time password Bhaskar needed was sent to the previous owner’s phone.
Being a techy, Bhaskar saw that the app had no lockout mechanism for failed attempts. He used Burp Suite to analyse traffic and wrote a Python script to brute-force the password.
That was successful, and Bhaskar went on to identify three more significant API flaws:
First, an API endpoint exposed internal information like usernames, passwords and credentials for third-party services like Salesforce in plain text.
Another endpoint showed customer details by exposing all the service and maintenance packages ever purchased for a car. Those packages include names, phone numbers, email addresses, postal addresses and registration details. Accessing this information only requires the vehicle identification number (VIN), which can often be found outside a car (on a wheel arch or visible on the dashboard through the windscreen).
Finally, entering the VIN also gave access to full service histories, customer complaints and satisfaction survey results.
Additional API endpoints showed telematics data and even more customer information, including tags labelled “educationQualification” and “drivingLicense.”
This type of massive personal data exposure is an obvious problem, and cyber attackers and scammers could combine it with the vehicle information (which includes real-time location) to convincingly target VW owners.
Bhaskar reported the vulnerabilities to Volkswagen on the 23rd November and says that, while the company was responsive throughout, the problem was only fixed this month.
This is the German car company’s second cyber incident in the last six months, after a subsidiary exposed data on nearly 800,000 EV owners in December last year.