Imagine that it’s enough to look at the  windshield  of a car to score its  frame number —a 17-character code visible from outside. By entering it into an internal tool, one could find out the name of the  owner  and link that vehicle to a  mobile account . From there, it would be possible to  unlock the doors  remotely via an official app, without touching a lock or forcing anything.

That is precisely what a cybersecurity  researcher  demonstrated after accessing the internal portal used by dealers of a  large car brand . This incident doesn’t involve an attack on users or public servants, but rather a  vulnerability  within the business platform that connects the manufacturer with its sales network. A backdoor that grants access to  connected functions  and personal data.

The Failure Was Not in the Car, But in the Chain That Unites Everything

Behind this unsettling finding is  Eaton Zveare , a researcher who has been tracking vulnerabilities in digital platforms of major brands, especially in the automobile sector. This time was no different. Zveare discovered that the internal web portal of a  well-known car brand  allowed modifications to system behavior directly from the browser. Specifically, he managed to alter the login page code to skip security checks and create an  administrator account  with national privileges. This account provided access to over 1,000 dealerships across the United States.

At this point, the  scope of the problem  drastically changed. It was no longer just about accessing internal resources of a dealership; the account created granted access to the  entire system . Zveare could view data for all  connected dealerships , impersonate other users, and most alarmingly, access tools that allowed him to consult  information about vehicles and their owners . This was all possible from a platform intended solely for industry professionals.

Zveare did not force any entry, nor did he install malicious software or launch an external attack. What he discovered was an inadequately secured entry point within a legitimate system. More worrying is that this entry not only permitted him access but provided a suite of tools that should not have been accessible so effortlessly.

Hacker

In the  United States , laws regulating vehicle sales vary by state, but they share a fundamental principle: in most instances,  manufacturers cannot sell new cars directly to consumers . They must go through independent dealerships, which are legally safeguarded against direct competition from the manufacturer. This has led to a  franchised network structure  that consolidates thousands of sales and after-sales points.

Tesla has tried to break away from this model and sell directly, but it has not proven easy. While it has succeeded in a few states, many others still impose legal restrictions that prevent it from selling or delivering vehicles directly. Tesla’s circumstance is the most visible exception, but it is certainly not the norm.

The most concerning aspect is not merely that this system displayed confidential information. The serious issue is that it allowed actions with  high privileges , as if one were part of the official manufacturer structure. This meant it was possible to impersonate the identities of other employees, intervene in registered vehicles throughout the nation, or access functionalities intended only for authorized technicians.

The portal was designed to facilitate actions within the dealer network, not to resist  malicious access from within .

As previously mentioned, each car has a unique  frame number . This code consists of 17 characters—both letters and numbers—that legally identify the vehicle worldwide.

What the average driver likely does not realize is that this code is visible from the outside, located at the base of the windshield. In the context of this case, it served as the key to access. In a real test,  Zveare entered a visible VIN from the outside  and obtained the name of the owner. Moreover, through the portal, it was also possible to link the vehicle to a new mobile account.

Zveare did not attempt to drive any vehicles or alter their physical configurations. However, with the level of control he possessed, it would have been entirely possible to unlock vehicles remotely and empty their interiors.

Currently,  the name of the affected manufacturer has not been disclosed . While the researcher is aware of the brand behind the compromised portal, he chose not to mention it in his report or during his defense presentation. Similarly, TechCrunch, the first media outlet to cover the story, has also refrained from revealing the identity of the manufacturer.

Tesla's Collapse in Europe Brings Bad News

This is not an unusual practice. In certain cases, researchers opt to maintain the anonymity of the involved company for prudence’s sake, even after the vulnerability has been resolved, to avoid endangering third parties: dealerships, employees, or customers who continue to rely on that system. The fact that the compromised platform granted access to entire networks rather than just isolated servers may also have influenced this decision.

Images | Xataka with Gemini 2.5 Flash

In Xataka | Bugatti decided not to put speakers in a car of four million euros. His secret is a technique of 1881.



General News – 2