Toyota Global Supply Chain Portal Flaw Put Hacker in the Driver's Seat
upstart writes:
An ethical hacker found a backdoor in a Web app used by Toyota employees and suppliers for coordinating tasks related to the automaker's global supply chain, gaining control of the global system merely by knowing the email address of one of its users.
Security researcher Eaton Zveare revealed this week that in October, he found the backdoor login mechanism in the Toyota Global Supplier Preparation Information Management System (GSPIMS) Web portal, a site used by Toyota employees and their suppliers to coordinate various business activities. The backdoor allowed him to log in as any corporate user or supplier.
From there he found a system administrator email and logged in to their account, thus gaining "full control over the entire global system," he explained in a blog post about the hack.
[...] The hack demonstrates once again how a simple, overlooked flaw in an enterprise system can inadvertently give an attacker access to sensitive data and corporate accounts of a company's supply chain. This, in turn, paves the way for malicious activity that affects not only that organization but its entire ecosystem of partners, security experts noted.
[...] The researcher reported the issue to Toyota on Nov. 3 and the company reported back 20 days later that it had been fixed - a speedy response with which Zveare was "impressed," he said.
Read more of this story at SoylentNews.