The contribution of car buyers accidentally discovers weaknesses in VW app from Maria Gramsch first appeared on Basic Thinking. You always stay up to date with our newsletter.
A car buyer happened to come across serious weaknesses in the VW app-and was even able to access foreign vehicle data. Volkswagen has now closed the vulnerabilities.
The Indian security researcher Vishal Baskar has uncovered serious weaknesses in the VW app after buying a used car. Actually, he only wanted to register his new car in the “My Volkswagen” app.
However, problems arose, which is why he started looking. In the meantime, he was even able to access the data from other vehicles via the API of the VW app, As he writes in a blog post.
Security researchers reveal vulnerabilities in VW app
The registration of his used car in the VW app should actually only include two steps for Baskar. First of all, the vehicle identification number (VIN) must be specified here, afterwards the app calls for a one-time password (OTP).
However, this did not land on Baskar’s cell phone, but the previous owner of the car. This in turn did not react to calls. BASKAR made various attempts and was able to enter an OTP several times.
He was not blocked, which made him puzzling as a security researcher. So he took a close look at the app. With the help of the Burp Suite software, he read out the API calls of the app on his iPhone.
It was shown that it was actually possible to make an unlimited number of attempts to enter the OTP. In this way, he also managed to determine the right number with the help of a Python script and thus now also get access to the data of his vehicle in the app.
Passwords in plain language
But the solution to his OTP problem was not the only discovery that Baskar made during his investigation. Because he was also able to view data such as passwords and user names in plain language due to open API endpoints.
He only received access to numerous information, such as names, telephone numbers, addresses and email addresses by entering the vehicle identification number. But he was also able to view vehicle details, contract information as well as information about service and maintenance packages.
According to Baskar, this would have been a feast for stalkers or criminals. Because with access to this data, these could easily have found the real -time location, which can find out private address or regularly visited places.
This is how VW reacts to the weak points in the app
In November 2024 Baskar then turned to Volkswagen. Now he has received confirmation that the security gaps in the app were closed. The car manufacturer thanked him in a letter that the security researcher inserted in his blog post.
According to a Volkswagen spokeswoman, the problem was a local problem. Because like them opposite Heise online announced that only the Indian variant of the app was affected.
VW apps and vehicles in other countries were never affected. In addition, according to the group, there is no evidence that the security gaps in the app were actually exploited and data were actually used.
Also interesting:
- When is a balcony power plant worth?
- Artificial intelligence: What are neural networks?
- On the iPhone: So you can lock or hide apps
- Boycott of US corporations: German software providers benefit
The contribution of car buyers accidentally discovers weaknesses in VW app from Maria Gramsch first appeared on Basic Thinking. Follow us too Google News and Flipboard.
As a Tech Industry expert, I think it is concerning that car buyers were able to accidentally discover vulnerabilities in the VW app. This highlights the importance of rigorous testing and security measures in the development of technology, especially in the automotive industry where the safety and security of vehicles and their systems are paramount.
It is crucial for companies like VW to continuously monitor and address vulnerabilities in their apps to prevent potential cyber attacks or breaches that could compromise the safety and privacy of their customers. Additionally, it is important for car buyers to be vigilant and report any issues they may encounter with the technology in their vehicles to ensure that necessary actions are taken to address them promptly.
Overall, this incident serves as a reminder of the ongoing challenges and risks associated with the integration of technology in vehicles, and the need for collaboration between industry stakeholders to prioritize cybersecurity and protect consumers from potential threats.
Credits