Critical Security Flaws in Carmaker's Web Portal
Introduction
A recent report by TechCrunch revealed that a security researcher, Eaton Zveare, discovered critical security flaws in a carmaker's web portal, allowing hackers to remotely unlock cars from anywhere. These vulnerabilities were found in the centralized dealer portal, providing hackers with vast access to customer and vehicle data.
Key Details
Zveare explained that with this access, he could take over a customer's account and unlock their car remotely. This poses a major concern for car owners, as hackers can easily gain access to their personal information and control their vehicles. The flaws also allowed hackers to manipulate the system, potentially causing damage to the car's software and overall functioning.
Impact
The consequences of these security flaws are far-reaching and alarming. Not only can hackers remotely unlock cars, but they can also access sensitive information such as customer names, addresses, and even credit card details. This puts the carmaker's reputation at risk, as well as the safety and privacy of their customers. It is crucial for the carmaker to address these vulnerabilities and prioritize the security of their web portal to prevent any further breaches.
About the People Mentioned
Eaton Zveare
Eaton Zveare is a prominent cybersecurity researcher and ethical hacker known for exposing vulnerabilities in automotive and gaming systems.[2][3][4] In his early career around 2013, he was part of a group led by programmer Anthony Clark that exploited a hack in EA Sports' FIFA game servers to generate and sell vast amounts of in-game currency, reportedly earning up to $500,000 daily at its peak.[1] Zveare purchased luxury items like a Mercedes AMG CLA 45 with cash proceeds, but the operation drew FBI scrutiny, leading to raids and asset seizures.[1] He and two collaborators pleaded guilty to charges, forfeiting profits to avoid prison, while Clark fought the case and was later convicted of conspiracy to commit wire fraud.[1][6] Transitioning to ethical hacking, Zveare has gained recognition as a white-hat researcher publishing findings via Eaton Works.[3] In June 2023, he disclosed flaws in Honda's e-commerce platform (Honda Dealer Sites) and Power Equipment Tech Express (PETE) websites, including a weak password reset API that exposed over 1,090 dealer emails, 3,588 dealer accounts, 11,034 customer emails, and 21,393 orders using just a registered email from a public YouTube video.[3] The sites were deactivated post-disclosure. In early 2025, Zveare uncovered critical bugs in a major carmaker's dealer portal, enabling login bypass via client-side code manipulation to create a "national admin" account.[2][4] This allowed remote vehicle unlocking, engine starts, data lookups by VIN or name, and unauthorized account pairing—demonstrated ethically with a friend's consent.[4][5] The carmaker patched the issues within a week, confirming no prior exploitation.[4] He presented related findings at DEF CON 2025.[5] Zveare remains active in vulnerability research, emphasizing authentication flaws in APIs as key risks, with ongoing relevance in advancing secure connected vehicle tech amid rising autonomous driving adoption.[2][4]
About the Organizations Mentioned
TechCrunch
**TechCrunch** is a leading global technology media company founded in June 2005 by Michael Arrington and Keith Teare under Archimedes Ventures. Initially launched as a blog focused on profiling and reviewing emerging startups and Web 2.0 companies, it quickly became a prominent source of breaking tech news, analysis, and opinion for entrepreneurs, investors, developers, and tech enthusiasts[3][4]. The organization established itself as a key voice in Silicon Valley by delivering in-depth articles about the rapidly evolving tech ecosystem. Its unique editorial style encourages writers to self-assign stories they are passionate about, fostering deep, insightful coverage[3]. Over time, TechCrunch expanded beyond news with significant influence in the startup community through its flagship events. A major milestone came in 2008 with the launch of TechCrunch50, a startup competition providing early-stage companies a platform to pitch innovations to industry experts and investors. This event evolved into the annual TechCrunch Disrupt conference starting in 2010, which remains a premier global gathering for startups, investors, and tech leaders. Disrupt is well-known for its Startup Battlefield competition, which has launched successful companies such as Dropbox, Mint, Yammer, and Cloudflare, collectively raising billions in funding and achieving numerous exits[1][4][5]. TechCrunch was acquired by AOL early in its growth phase, which helped scale its operations but also saw internal disputes among the founders around 2010, leading to Teare’s fading involvement[1]. Despite leadership changes, TechCrunch continues to thrive as a digital media leader, generating revenue primarily through advertising and event sponsorships. Celebrating its 20th anniversary in 2025, TechCrunch remains committed to delivering front-row access to technology innovation and startup culture. It maintains a strong presence in Europe and globally, consistently shaping the conversation around tech trends and entrepreneurship[3][7]. Its enduring impact stems from both its authoritative journalism and its role as a launchpad fo
