Summary by Tesla
Disabling mobile access is now restriced to vehicle owners. Since this issue required an attacker to have been granted access to a vehicle by the owner, it was classified as P3.
- Engagement Tesla
- Disclosed date over 2 years ago
- Points 10
- Priority P3 Bugcrowd's VRT priority rating
- Status Resolved This vulnerability has been accepted and fixed
Summary by KLWTTS
Tesla had misconfigured vehicle security settings that enabled guests who were shared Mobile Access by an Owner, the ability to use their guest credentials to turn off Mobile Access for all users. This same vulnerability let Guests override the Owner's other available security features like Valet Mode, PIN to Drive, and Glovebox PIN. Tesla addressed the issue by reconfiguring server-side protocol to only accept the Owner's credentials for all of these features.
Activity
- Nick Customer published the disclosure report
- Nick Customer updated the submission
- Nick Customer sent a message
- KLWTTS sent a message
- KLWTTS requested disclosure
- KLWTTS sent a message
- Nick Customer sent a message
- Nick Customer rewarded KLWTTS $300
- Nick Customer changed the state to Resolved
- Nick Customer rewarded KLWTTS 10 points
- Nick Customer sent a message
- KLWTTS resolved a blocker for Bugcrowd Operations by responding to comments
- KLWTTS sent a message
- wilson_bugcrowd created a blocker on the researcher to respond to comments
- Nick Customer sent a message
- KLWTTS sent a message
- KLWTTS sent a message
- Nick Customer resolved a blocker for Bugcrowd Operations by providing information on impact
- Nick Customer sent a message
- Nick Customer changed the severity to P3
- Nick Customer changed the state to Triaged
- Nick Customer cleared the severity
- wilson_bugcrowd sent a message
- wilson_bugcrowd created a blocker on Tesla to provide information on impact
- KLWTTS created the submission
