Summary by Tesla
Allowing disclosure with limited visibility since the report contains information about internal hosts
Several internal applications have open CORS, allowing external folks to access the content
Disclosed by
- Engagement Tesla
- Disclosed date over 2 years ago
- Points 20
- Priority P2 Bugcrowd's VRT priority rating
- Status Resolved This vulnerability has been accepted and fixed
Summary by bigBugGuy
Using a typosquat domain, I was able to get access to a browser that sat on an internal Tesla network, without social engineering anyone. From there, I could access all the open CORs domains:
aads.teslamotors.com
envoy-commerce.teslamotors.com
packaging-v2-api-stg.teslamotors.com
packaging-v2-api.teslamotors.com
location.teslamotors.com
messagecenter-external-api-stage.teslamotors.com
m3location.teslamotors.com
payment-gateway.teslamotors.com
onboarding-pre-delivery-prod.teslamotors.com
eaa-setup.teslamotors.com
That response data was then sent back out to me. The team was quick to triage the issue, and fix the permissive CORs issue.
Activity
- Nick Customer sent a message
- bigBugGuy sent a message
- Nick Customer sent a message
- bigBugGuy sent a message
- Nick Customer sent a message
- bigBugGuy sent a message
- bigBugGuy sent a message
- Nick Customer sent a message
- bigBugGuy sent a message
- Nick Customer sent a message
- Nick Customer published the disclosure report
- Nick Customer sent a message
- Nick Customer changed the state to Resolved
- bigBugGuy requested disclosure
- bigBugGuy sent a message
- Nick Customer sent a message
- Nick Customer changed the severity to P2
- Nick Customer rewarded bigBugGuy 15 points
- Nick Customer rewarded bigBugGuy
- Nick Customer changed the state to Unresolved
- Nick Customer rewarded bigBugGuy 5 points
- bigBugGuy sent a message
- bigBugGuy sent a message
- Nick Customer changed the state to Triaged
- Nick Customer sent a message
- bigBugGuy created the submission
