Imagine logging into a website meant for car dealerships… and suddenly realizing you have the keys to every car that brand has sold. Sounds like a Hollywood hacker movie, right? Well, Eaton Zveare, a security researcher at Harness, found himself in that exact situation — only it was very, very real.
While poking around an unnamed but major automaker’s online dealership portal, Zveare stumbled on a security flaw that let him create an all-powerful “national admin” account. This wasn’t just a VIP pass — it was god mode. From there, a hacker could peek at personal and financial details of customers, track vehicles in real time, and even remotely unlock cars. Yes, you read that right — remotely.
The kicker? It all started because of bad code that loaded in a user’s browser during login. By tweaking that code, Zveare could bypass security altogether. Once inside, he had access to over 1,000 dealerships across the U.S. and a consumer lookup tool that could identify a car’s owner just from a VIN number on the windshield.
Testing it with a friend’s permission, he even transferred ownership of their car to his account — no hard verification needed, just a digital “pinky promise.” In theory, a thief could do the same to almost any customer, simply by knowing their name or spotting their car in a parking lot.
It didn’t stop there. The portal was linked to other dealer systems via single sign-on, and came with an “impersonate user” feature, meaning Zveare could hop into other accounts without their password. Inside? Customer data, financials, real-time car tracking, and the power to cancel shipments.
The automaker patched the flaws within a week of his February 2025 report, but the lesson is loud and clear: two tiny authentication bugs can blow the doors — and the car doors — wide open.
About the Author
