A security researcher, Eaton Zveare, identified a major security flaw in Toyota's Global Supplier Preparation Information Management System (GSPIMS) web portal. This portal provides Toyota employees and suppliers with access to ongoing projects, surveys, information on purchases, and more. The issue was related to the implementation of JWT authentication, which allowed anyone with a valid email address to gain access to any account. JWT is a session token that is usually generated when logging in to a website and is used to authenticate the user to secure sections of the website or APIs. Zveare discovered that GSPIMS had a function that would generate a JWT based on the provided email address, without requiring a password. He used this to access the GSPIMS and discovered an account with system administrator privileges. This account gave him access to all the information on the portal, including details on over 14,000 user accounts, control over roles each account could have, and classified documents. The system admin also had the option to log in as any of the 14,000 users, which is why the JWT generating function was implemented. However, this also created a backdoor into the network. An attacker with system admin access could have exfiltrated data, tampered with or deleted it, and used the corporate email and roles of all 14,000 user accounts to target them in phishing attacks. Zveare reported the vulnerability to Toyota on November 3, 2022.
This Cyber News was published on www.securityweek.com. Publication date: Tue, 07 Feb 2023 15:23:03 +0000