iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
A security specialist and developer has found a way into a massive Toyota customer database in Mexico.
Eaton Works has revealed the process in a blog post, after informing Toyota of the vulnerability.
The database in question is Toyota’s C360 CRM system, which compiles a vast range of data about Toyota customers, including names and addresses, email and phone details, as well as billing information, purchase history, tax IDs, and “social presence”.
“Businesses can use this data to inform engagement strategies, customer journey steps, communications, personalised offers, and deliveries,” Toyota said of the CRM system. “A Customer 360 view enables organisations to derive value, achieve sustainable competitive advantage, and maximise new customer acquisition opportunities whether in-store or online.”
And having this data all in one place makes it a tempting target for malicious actors.
After finding a way into a Toyota corporate database last month, Eaton was curious to see if a customer database was similarly open.
They found four separate instances of C360 online — one production version and three development versions. While the production site returned a 403 error when Eaton tried to access it, the other sites presented a log-in page, which they were able to bypass using a couple of JavaScript patches, tricking the page into thinking they were logged in.
With this access, Eaton was able to locate a number of API endpoints on the production version of the site.
“It’s worth noting that these APIs did not require an authentication token,” Eaton noted in a blog post. “They would return data to anyone who sent a well-formed request. The access token is saved to session storage, but it wasn’t actually used anywhere.”
Everything the researcher needed to access the production version of C360 was in the code for the development apps, a lapse on the part of the developers.
Eaton then found a searchable database that returned everything Toyota had on each of its customers, as listed above. By way of example, Eaton simply entered the name “Joe”, which returned a predictably large number of customers. And it wasn’t just that the data was exposed, but many of the fields were even editable.
The database does seem to be a work in progress, however, with some details replicated across multiple customers.
Eaton informed Toyota of the vulnerability in October 2022, and the company promptly took most of the sites offline. The carmaker does not pay bug bounties, Eaton pointed out, and since the company has not published any advisories on the incident, they believe no malicious access to the database was detected.
Toyota’s lucky that it was a white hat hacker who found the problem.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.
Be the first to hear the latest developments in the cyber industry.
