A security vulnerability in a major carmaker’s online portal exposed customer data and could have allowed hackers to remotely unlock vehicles. The flaw was discovered by security researcher Eaton Zveare, who reported his findings to the company, which issued a fix in February 2025. Zveare did not publicly name the automaker but described it as a well-known brand with more than 1,000 dealerships in the United States.
Investigators said the vulnerability stemmed from a login-security bypass in the dealership portal. By modifying the portal’s code, Zveare was able to create a new ‘national administrator’ account, granting unfettered access to private customer data, including names, financial details, and vehicle information. The flaw could also permit remote actions such as unlocking doors when a user’s name or VIN was known; investigators cautioned that the ability to unlock vehicles remotely represents a serious risk, though there is no confirmed instance of actual theft.
Beyond customer data, the new admin access allowed the operator to view financial data from dealerships and track the real-time locations of rental or courtesy cars, a combination described by Zveare as a ‘security nightmare waiting to happen’ because it enables impersonation across multiple systems.
Malwarebytes weighed in on the issue, saying this is the kind of vulnerability that makes it easier for people to track and stalk others. Zveare, who presented his findings at the Defcon security conference, said the bugs took the company about a week to fix after disclosure. He told TechCrunch that the main issue came down to simple authentication flaws, saying, “If you’re going to get those wrong, then everything just falls down.”
For people concerned about their car’s security, here are a few simple tips to help prevent unwanted tracking:
- Use your phone’s navigation app (like Google Maps) instead of the one built into your car.
- Don’t save regular destinations in the car’s navigation system.
- Keep your car’s software updated to ensure you have the latest security protections.
- Check your car’s remote access apps to make sure no unknown devices have been linked to your account.