The flaw affects Hyundai and Genesis vehicles made over the past decade. Exploiting the bug would allow controlling the locks, engine, and other critical features. Hyundai claims the bug was not exploited in the wild.
The newly discovered vulnerability impacts mobile apps Hyundai and its luxury brand Genesis owners use to monitor their vehicles. Next to vehicle diagnostics and service scheduling, the apps also allow users to remotely start, stop, lock, and unlock their vehicle.
According to Sam Curry, hacker and bug bounty hunter, mobile apps for Hyundai and Genesis vehicles provide vehicle control privileges only to authorized users. However, researchers noted irregularities in how the app communicates with the authorization server, leading them to look into the Hyundai user account registration.
“Immediately, we noticed that the server did not require users to confirm their email address. There additionally appeared to be a very loose regex which allowed control characters in your email,” Curry said in a Tweet detailing the flaw.
more here
The newly discovered vulnerability impacts mobile apps Hyundai and its luxury brand Genesis owners use to monitor their vehicles. Next to vehicle diagnostics and service scheduling, the apps also allow users to remotely start, stop, lock, and unlock their vehicle.
According to Sam Curry, hacker and bug bounty hunter, mobile apps for Hyundai and Genesis vehicles provide vehicle control privileges only to authorized users. However, researchers noted irregularities in how the app communicates with the authorization server, leading them to look into the Hyundai user account registration.
“Immediately, we noticed that the server did not require users to confirm their email address. There additionally appeared to be a very loose regex which allowed control characters in your email,” Curry said in a Tweet detailing the flaw.
more here
