White hat hacker cracked Toyota's supplier portal

Companies hire “white hat” hackers to help identify network weaknesses all the time, generally offering a bounty for any vulnerabilities they find and report. Automakers are no exception, and with the proliferation of connected vehicles with round-the-clock internet access, the security risks have grown just as fast. Toyota recently learned of an issue with its supplier portal, through which a white hat hacker could access email accounts, documents and other confidential information.

Automotive News reported that Eaton Zveare, a hobbyist hacker (and beekeeper) from Florida, found the vulnerability and reported it to Toyota last November. The automaker quickly closed the breach and thanked Zveare but stopped short of paying a bounty, which he said could encourage less upstanding hackers to sell secrets to the black market instead of reporting them. It’s worth noting that Toyota has an existing program for researchers to report vulnerabilities, but it’s unclear if Zveare used it.

Zveare discovered the weakness in Toyota’s supplier portal by generating a web token using a Toyota email address. The system authenticated him without a password, opening the door to all sorts of secret corporate information. All he had to do was search the internet for a valid Toyota email address. Once in, he repeated the access process to take over an email account with system administrator permissions.