APPSEC-AUTO-API-2023
API · Automotive · Automaker telematics APIs (Kia, Hyundai, BMW, Ferrari, and more)
Summary
On January 3, 2023 Sam Curry and a team of researchers published Web Hackers vs. The Auto Industry, documenting critical API authorization flaws across about 16 automakers including Kia, Hyundai, Honda, Nissan, Acura, Infiniti, BMW, Ferrari, Porsche, Rolls Royce and Mercedes-Benz, plus telematics providers such as SiriusXM Connected Vehicle Services and Spireon. The connected-car APIs treated the VIN, which is visible through the windshield and effectively public, as an object identifier without verifying the caller actually owned the vehicle, a Broken Object Level Authorization flaw. Using only a target VIN, researchers could enroll a vehicle to an attacker account or bypass ownership checks and then remotely unlock, start, locate, honk, and track vehicles, achieving full account takeover. Several manufacturers also had Broken Function Level Authorization and misconfigured SSO/OTP endpoints exposing internal dealer portals. The work maps to OWASP API1:2023 (BOLA) and API5:2023 (BFLA).
How to avoid it in your code
- Never use a public or guessable value (VIN, license plate, email) as the sole access-control key; verify ownership server-side.
- Enforce object-level authorization on every command and data request against the authenticated owner.
- Apply function-level authorization so privileged actions (enroll, transfer ownership, remote control) check the caller's role.
- Require verified ownership proof for enrollment and ownership-transfer flows, not just possession of an identifier.
- Harden dealer and employee SSO/OTP endpoints; segment internal portals from customer-facing APIs.
References
Related vulnerabilities
All AppSec →- HIGHAPPSEC-TMOBILE-API-2023
On January 19, 2023 T-Mobile disclosed in an SEC 8-K filing that an attacker had abused a single API to obtain data on roughly 37 million current postpaid and prepaid customer accounts, with access beginning on or around November 25, 2022 and continuing about six weeks until detection on January 5, 2023 and cutoff a day later. The exposed fields included names, billing addresses, emails, phone numbers, dates of birth, account numbers, and plan features; T-Mobile stated no passwords, payment card data, Social Security numbers, or government IDs were taken. T-Mobile only stated that a bad actor obtained data through a single API without authorization, without publishing the low-level mechanism; the security-community consensus reconstruction is Broken Object Level Authorization (BOLA/IDOR), where the API returned per-customer records without verifying the caller was authorized for that specific object, letting the attacker walk through customer identifiers at scale. The mechanism maps to BOLA via a user-controlled key, or, if the endpoint lacked authorization entirely, to missing authorization.
- HIGHAPPSEC-USPS-INFORMEDVIS-2018
On November 21, 2018 Krebs on Security reported that a USPS Informed Visibility API had exposed account data on roughly 60 million usps.com users, after a researcher's warning had gone unanswered for over a year until USPS fixed it on November 20, 2018. The API enforced authentication but no object-level authorization: any logged-in usps.com account holder could query the account details of any other user, and the same promiscuous endpoint allowed requesting account changes such as email, phone number, and other details for arbitrary users. Many API features also accepted wildcard search parameters, so a single query could return entire data sets at once. Exposed fields included email address, username, user ID, account number, street address, phone number, authorized users, and mailing-campaign data. This is a Broken Object Level Authorization / IDOR flaw with a missing-authorization root cause: authentication was checked but authorization on the target object was not.
- CRITICALAPPSEC-OPTUS-2022
On September 22, 2022 Australian telco Optus disclosed a breach exposing the personal data of around 9.8 million current and former customers (the figure regulators later litigated as approximately 9.5 million), including names, dates of birth, addresses, phone numbers, email addresses, and passport, driver licence and Medicare numbers. The data was served by an internet-facing API endpoint (api.www.optus.com.au) that required no authentication, and customer records were keyed by a sequential, enumerable contactid. An attacker could iterate the identifier (contactId + 1) with a simple script and pull every customer record, combining broken/missing authentication with Broken Object Level Authorization via a user-controlled key. The ACMA alleged an access-control coding error introduced around 2018 weakened the API; Optus fixed the same flaw on its main domain in August 2021 but never on the exposed sub-domain. Regulators characterised the attack as not highly sophisticated.
- CRITICALAPPSEC-COINBASE-TRADE-LOGIC-2022
In February 2022, a researcher known as Tree of Alpha reported a business-logic flaw in Coinbase's Retail Advanced Trading API through HackerOne, earning a $250,000 bounty that Coinbase described as its largest ever. Coinbase stated the underlying cause was a missing logic validation check in a Retail Brokerage API endpoint that allowed a user to submit trades to a particular order book using a mismatched source account. Because the order-validation logic never verified that the named source account actually held the asset being sold, a user could place sell orders for a cryptocurrency they did not own; the reproduction example sold one asset while sourcing it from an account holding a different token. This maps to OWASP API6:2023 Unrestricted Access to Sensitive Business Flows, an improper-validation business-logic error rather than a missing cryptographic or session control. Coinbase reproduced the bug, halted retail advanced trading into cancel-only mode within an hour of the report, and validated a patch the same day.
- MEDIUMAPPSEC-PELOTON-API-2021
On May 5, 2021 Pen Test Partners researcher Jan Masters and TechCrunch publicly disclosed that Peloton's API exposed the private account data of its users, having been reported privately to Peloton on January 20, 2021. The API had endpoints, including a workout-details POST endpoint, a user-search GET endpoint, and GraphQL endpoints, that performed no authorization checks: unauthenticated requests returned account data such as user IDs, location/city, age, gender, weight, workout statistics, birthday, and group/studio attendance, even for users who had set their profiles to private, because the privacy flag was not enforced at the API layer. This is a missing/insufficient-authorization flaw on an API serving over 3 million subscribers' data. A partial fix on February 2, 2021 only restricted the API to authenticated Peloton members, so anyone willing to create an account could still pull any other user's private data until the full fix around early May.
- HIGHAPPSEC-PARLER-2021
Between 9 and 11 January 2021, as Parler was being deplatformed from Apple's App Store, Google Play and AWS following the 6 January Capitol riot, archivists led by the researcher known as donk_enby scraped roughly 99.9% of the platform before it went offline, capturing on the order of 70 TB of data including about 1.1 million videos along with public posts, photos and user data. Parler exposed API endpoints that served public posts and raw media without requiring any authentication, and post and object identifiers were sequential, so the archivists simply incremented IDs to enumerate and harvest the entire site. There was no rate limiting, allowing high-speed bulk extraction, and media files were served raw with EXIF and GPS metadata intact, while deleted posts were only flagged as deleted rather than removed and remained retrievable. The core flaw maps to OWASP API1 Broken Object Level Authorization (sequential IDs with no authorization check) combined with API4 Unrestricted Resource Consumption from the missing rate limiting, with Excessive Data Exposure in the unstripped media metadata.