Summary by Tesla
Allowing disclosure with limited visibility since the report contains information about internal hosts
Several internal applications have open CORS, allowing external folks to access the content
Disclosed by bigBugGuy- Engagement Tesla
- Disclosed date about 2 years ago
- Points 20
- Priority P2 Bugcrowd's VRT priority rating
- Status Resolved This vulnerability has been accepted and fixed
Summary by bigBugGuy
Using a typosquat domain, I was able to get access to a browser that sat on an internal Tesla network, without social engineering anyone. From there, I could access all the open CORs domains:
aads.teslamotors.com
envoy-commerce.teslamotors.com
packaging-v2-api-stg.teslamotors.com
packaging-v2-api.teslamotors.com
location.teslamotors.com
messagecenter-external-api-stage.teslamotors.com
m3location.teslamotors.com
payment-gateway.teslamotors.com
onboarding-pre-delivery-prod.teslamotors.com
eaa-setup.teslamotors.com
That response data was then sent back out to me. The team was quick to triage the issue, and fix the permissive CORs issue.