On November 20, 2024, Shubham Shah and I discovered a security vulnerability in Subaru’s STARLINK admin panel that gave us unrestricted access to all vehicles and customer accounts in the United States, Canada, and Japan.
Simply removing the two-factor auth element which does nothing to access the main page underneath. I do that shit with newspaper paywalls. That is wild.
Also having a script in there that just resets a password no questions asked. WTF is going on with modern software development? It isn’t just Subaru. It’s almost everything in the last 15 years. Behind all the pretty lipstick, IT systems are jankier than ever.
For any aspiring programmers, remember, never ever assume the user is rational, expecting them to follow the rules. At least half of your user data-handling code should be validation and sanity checks. Code defensively.
That password reset looked to be like step four of something. So it’s a business logic bypass. Still awful of course but slightly more understandable given other ways this vulnerability could have been introduced. The cool part was detecting all the steps completely blackbox because everything was in the Javascript.
There is no excuse for issuing a valid token before mfa succeeds though. That is negligent.
Simply removing the two-factor auth element which does nothing to access the main page underneath. I do that shit with newspaper paywalls. That is wild.
Also having a script in there that just resets a password no questions asked. WTF is going on with modern software development? It isn’t just Subaru. It’s almost everything in the last 15 years. Behind all the pretty lipstick, IT systems are jankier than ever.
For any aspiring programmers, remember, never ever assume the user is rational, expecting them to follow the rules. At least half of your user data-handling code should be validation and sanity checks. Code defensively.
deleted by creator
even worse, it’s a joke, but it’s true, the proof of concept is often also the final product
Now add AI in the mix :)
That password reset looked to be like step four of something. So it’s a business logic bypass. Still awful of course but slightly more understandable given other ways this vulnerability could have been introduced. The cool part was detecting all the steps completely blackbox because everything was in the Javascript.
There is no excuse for issuing a valid token before mfa succeeds though. That is negligent.
Subcontracted to Indian, Ucranian and other low income countries. You get what you pay for.
Ukrainian devs are top notch, to be fair. Outsourcing to there is not an issue.