Eaton Zveare, a US-based researcher proactively informed Toyota of the breach found in the Global Supplier Preparation Information Management System (GSPIMS) of the corporation.
According to Zveare, the problem stemmed from installing JWT, or JSON Web Token, authentication that could have given anyone with a working email address access to any account.
JWT is a session token that is created when a user logs onto a website and is used to verify the user's access to secure APIs or portions of the website. The automaker's web platform, known as GSPIMS, enables remote login and management of the company's global supply chain for employees and suppliers.
The researcher could predict an email address by scanning the internet for Toyota personnel who might be involved in the incident. Corporate Toyota email addresses are simple to guess because they use the format firstname.lastname@toyota.com.
Then, Zveare created a legitimate JWT using that email address and utilized it to access the GSPIMS. He used the same way to access a system administrator account he found after performing some portal reconnaissance.
The company avoided a potentially disastrous leak thanks to Zveare's effective disclosure practices, yet the reward for disclosing this vital issue was $0.Despite following the rules of disclosure and rescuing the company from a potentially disastrous leak, It acts as a strong deterrent to investing more time and energy in investigating the infrastructure security of Toyota, he adds. Due to this, similar, exploitable application weaknesses can go unnoticed—at least by 'white hat' researchers like Zveare.
An administrator of the GSPIMS system has access to private data such as secret documents, project schedules, vendor rankings, and customer data for 14,000 users. To allow this option, it appears that the code that creates the JWT based on email address was developed; nevertheless, this backdoor into the network was also created.