Eaton Zveare, a US-based researcher proactively informed Toyota of the breach found in the Global Supplier Preparation Information Management System (GSPIMS) of the corporation.
According to Zveare, the problem stemmed from installing JWT, or JSON Web Token, authentication that could have given anyone with a working email address access to any account.
JWT is a session token that is created when a user logs onto a website and is used to verify the user’s access to secure APIs or portions of the website. The automaker’s web platform, known as GSPIMS, enables remote login and management of the company’s global supply chain for employees and suppliers.
The researcher could predict an email address by scanning the internet for Toyota personnel who might be involved in the incident. Corporate Toyota email addresses are simple to guess because they use the format firstname.lastname@toyota.com.
Then, Zveare created a legitimate JWT using that email address and utilized it to access the GSPIMS. He used the same way to access a system administrator account he found after performing some portal reconnaissance.
The company avoided a potentially disastrous leak thanks to Zveare’s effective disclosure practices, yet
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
This article has been indexed from CySecurity News – Latest Information Security and Hacking Incidents
Read the original article: