HQ/EMEAFind out how we can help your business
A researcher with the pseudonym of EatonWorks recently disclosed an issue involving Toyota’s Global Supplier Preparation Information Management System (GSPIMS), which they had successfully breached during a vulnerability test.
GSPIMS is a web application used by Toyota’s personnel and suppliers, engineered for logging in and managing the car manufacturer’s global supply chain from a remote location. In the discovered flaw on Toyota’s web app, the researcher said they could access an existing user account and elevate their admin rights upon utilising a Toyota employee’s active email account.
Numerous sensitive data held by the GSPIMS web app get exposed upon EatonWorks’ successful intrusion.
The researcher said they surprisingly accessed numerous corporate documents stored on the Toyota web app, including thousands of internal projects and supplier details.
How EatonWorks completed the intrusion test was quite complicated yet easy in nature, as the only key they utilised was a working email address of an upper Toyota employee to access the company’s web application.
According to the released writeup by EatonWorks last February 6, the GSPIMS web app is developed through an Angular JavaScript framework, set with specific functionalities and routes that define which admins or users can access specific pages in the app.
Then, the researcher modified the JavaScript of the functions to “true” values, allowing them to obtain access. Even though the app had been opened, the researcher still needed to be authenticated to see data.
Upon analysing the environment further, EatonWorks discovered that GSPIMS generates a JSON Web Token (JWT) for employees’ password-less login access using corporate email addresses. The discovery led the researcher to seek a Toyota employee’s email address, particularly from upper management, to be utilised for generating a valid JWT, which they easily managed through a simple web search.
Subsequently, the researcher obtained complete unauthorised access and was able to elevate their admin rights, allowing them to see critical and classified company data.
Since the vulnerability discovery was intended for research purposes, EatonWorks disclosed it to the car manufacturer last November 3. Toyota had patched it by November 23 before any malicious actor could find and abuse it.
After Toyota’s specified 90-day disclosure period, the researcher finally published a detailed writeup on their website to inform the public. EatonWorks also added that the car manufacturer did not compensate them for the bug discovery. Thus, they decided to shift their focus toward companies that provide monetary rewards to help sustain their efforts for investigations and writeups.
