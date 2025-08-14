Track, in real time, the location of a certain car. Once you see that it's parked, just head over and unlock it using nothing but your phone. In fact, why wait? Just go to any parking lot, look up the VIN, and unlock it. And if you need a little more fun, just cancel some car shipments, because you're a national admin within the brand's online dealership portal, except that you're actually not. You're a hacker.

Thankfully, Eaton Zveare, who actually acquired for himself the ability to do all that, is not a criminal mastermind. As a security researcher, his job is to try to think like one. Per TechCrunch, he was messing around on "a weekend project" when he discovered the exploit within the brand's portal, which was "two simple API vulnerabilities." (Zveare didn't reveal which brand it was, except to say that it was a famous one with several sub-brands.)

Once he got through the exploit, Zveare was able to make himself an admin with the highest level permissions. The system in question was used by over a thousand dealerships in the U.S., so he was able to access all sorts of information. Names and addresses of buyers were there for the taking; he could have pulled the VIN off of any car on the street and looked up the owner's house. He also found financial data and real-time tracking for rental and courtesy cars. And, oh yeah, he could just cancel any car shipments to the dealerships. Did I mention he could unlock any of the cars within this system?

If all this sounds eerily familiar, it might be because Subaru was found to be similarly vulnerable just this past January. Sleep well tonight!