Security researcher Eaton Z was able to access the global supplier network of Toyota Motors in October-November 2022 period. This was a breach of the cyber security of the supplier portal. But, it was done in a ‘bug bounty sort of hacking attempt and no damage was inflicted on Toyota Motors.
We will review the main aspects of this hacking attempt and the response taken by the team at Toyota Motors.
Key points about the Toyota Motors supplier network cyber-security incident
- The hack into Toyota’s supplier management portal took place somewhere between October to November 2022.
- The backdoor to the Toyota supplier management portal was exploited successfully by the security researcher. The breach was reported to Toyota Motors North America office on 3rd November 2022. The target of this breach was Toyota GSPIMS.
- Toyota Motors communicated and acknowledged fixing the issue on 23rd November 2022.
- As part of the breach, the email address of an employee of the North America office of Toyota Motors was used to access the supplier network of Toyota Motors. The breach involved full access to the directory of suppliers and contact information.
- Full read and write access to the global user directory containing over 14000 users was achieved.
- Data pertaining to Toyota suppliers Michelin, Continental, Stanley Black & Decker, HARMAN, Timken, BOS, and Magna was available to the research as part of the security breach.
- The data breach was achieved by targeting the Angular app for login. A JSON Web Token was generated based on the email address of the user. This JWT was used to bypass the security of the GSPIMS application and access the portal.
- Upon successful access, the user was also able to elevate his credentials from being a part of ‘Mgmt – Purchasing’ group to full System administration privileges.
- Toyota fixed this issue by making the createJWT and findByEmail endpoints return HTTP status 400 – Bad Request in all cases.
In this entire exchange of data and hacking details between the researcher and Toyota Motors, it is clear that no damage was caused. There was no attempt to steal data of any suppliers that are part of the Toyota GSPIMS portal.
The company was able to take prompt action and close the loophole in the portal by altering the security conditions aligned with createJWT and findbyEmail events in the application.
This breach does throw some interesting aspects of securing the backend portals of companies:
- Enabling passwordless login using the email address of a user of the company is a serious security bottleneck
- Periodic audits of the portals and applications of the corporate network are essential to improving the cyber-security of a company’s digital assets.
You can read about the detailed approach used by Eaton Z on his website.
We are sorry that this post was not useful for you!
Let us improve this post!
Tell us how we can improve this post?
Rajesh Dhawan is a technology professional who loves to blog about smart wearables, Cloud computing and Microsoft technologies. He loves to break complex problems into manageable chunks of meaningful information.