There was a flaw in the Tesla Retail Tool (TRT) application that enabled a researcher to gain control of the accounts belonging to former employees.
Designed with support for both employee and vendor logins, TRT stores various types of enterprise information, including financial information, details on Tesla locations, contact information, building plans, network circuit details, and details on local, ISP, and utility account logins.
The application allows both internal and external account logins and uses for authentication a JSON Web Token (JWT) that specifies an email address cleared for manually defined user accounts, security researcher Evan Connelly explains.
Connelly discovered that accounts of past employees were still lurking in Tesla’s internal systems, and that it was possible to register an external account with the internal email of a former employee, and then access TRT with the privileges of that employee’s account.
The issue was that TRT was created with support for both an internal and an external identity provider, but it did not check which of the providers the user logged in with.
The researcher reported the vulnerability to Tesla on November 19, 2022, through the company’s bug bounty program on Bugcrowd. The flaw was addressed within two days.
It’s unclear how much Connelly earned for his findings, but Tesla assigned the vulnerability a P1 priority rating, for which the carmaker typically pays between $3,000 and $15,000.
In summary, a vulnerability in TRT allowed a researcher to take over the accounts of former employees. The researcher was able to find and use the internal email of these former employees to access TRT with their privileges. The vulnerability was reported to Tesla and addressed within two days. It is unclear how much the researcher was paid, but Tesla typically pays between $3,000 and $15,000 for vulnerabilities of this type.
Key Points:
- A vulnerability in the Tesla Retail Tool (TRT) application allowed a researcher to take over the accounts of former employees.
- The researcher was able to find and use the internal email of these former employees to access TRT with their privileges.
- The vulnerability was reported to Tesla and addressed within two days.
- It is unclear how much the researcher was paid, but Tesla typically pays between $3,000 and $15,000 for vulnerabilities of this type.