On November 20, 2024, Shubham Shah and I discovered a security vulnerability in Subaru’s STARLINK admin panel that gave us unrestricted access to all vehicles and customer accounts in the United States, Canada, and Japan.
That password reset looked to be like step four of something. So it’s a business logic bypass. Still awful of course but slightly more understandable given other ways this vulnerability could have been introduced. The cool part was detecting all the steps completely blackbox because everything was in the Javascript.
There is no excuse for issuing a valid token before mfa succeeds though. That is negligent.
That password reset looked to be like step four of something. So it’s a business logic bypass. Still awful of course but slightly more understandable given other ways this vulnerability could have been introduced. The cool part was detecting all the steps completely blackbox because everything was in the Javascript.
There is no excuse for issuing a valid token before mfa succeeds though. That is negligent.