Improper Authorization - Second (Additional) Driver can list "add-driver" invitation links

Disclosed by
sparmar's avatar
sparmar
  • Engagement Tesla
  • Disclosed date over 2 years ago
  • Points 10
  • Priority P3 Bugcrowd's VRT priority rating
  • Status Resolved This vulnerability has been accepted and fixed
Summary by Tesla

Authorized drivers could list existing invitations issued for a vehicle they had access to, this information should be restricted to vehicle owners.

Summary by sparmar

Can i disclose and create a blog?

Activity
  1. Nick’s avatar
    Nick Customer sent a message

    ()

  2. Nick’s avatar
    Nick Customer published the disclosure report

    ()

  3. sparmar’s avatar
    sparmar requested disclosure

    ()

  4. sparmar’s avatar
    sparmar sent a message

    ()Deleted

  5. Nick’s avatar
    Nick Customer sent a message

    ()

  6. Nick’s avatar
    Nick Customer rewarded sparmar

    ()

  7. Nick’s avatar
    Nick Customer changed the state to Resolved

    ()

  8. Nick’s avatar
    Nick Customer rewarded sparmar 10 points

    ()

  9. Nick’s avatar
    Nick Customer changed the severity to P3

    ()

  10. sparmar’s avatar
    sparmar sent a message

    ()

  11. Nick’s avatar
    Nick Customer sent a message

    ()

  12. Nick’s avatar
    Nick Customer updated the submission

    ()

  13. Nick’s avatar
    Nick Customer changed the state to Triaged

    ()

  14. Nick’s avatar
    Nick Customer resolved a blocker for Tesla by responding to comments

    ()

  15. Nick’s avatar
    Nick Customer sent a message

    ()

  16. sparmar’s avatar
    sparmar sent a message

    ()

  17. harris_bugcrowd’s avatarbugcrowd logo
    harris_bugcrowd sent a message

    ()

  18. harris_bugcrowd’s avatarbugcrowd logo
    harris_bugcrowd created a blocker on Tesla to respond to comments

    ()

  19. sparmar’s avatar
    sparmar resolved a blocker for Tesla by providing information on reproduction

    ()

  20. sparmar’s avatar
    sparmar sent a message

    ()

  21. harris_bugcrowd’s avatarbugcrowd logo
    harris_bugcrowd created a blocker on the researcher to provide information on reproduction

    ()

  22. harris_bugcrowd’s avatarbugcrowd logo
    harris_bugcrowd sent a message

    ()Edited

  23. harris_bugcrowd’s avatarbugcrowd logo
    harris_bugcrowd sent a message

    ()Deleted

  24. sparmar’s avatar
    sparmar resolved a blocker for Tesla by providing information on reproduction

    ()

  25. sparmar’s avatar
    sparmar sent a message

    ()

  26. harris_bugcrowd’s avatarbugcrowd logo
    harris_bugcrowd created a blocker on the researcher to provide information on reproduction

    ()

  27. harris_bugcrowd’s avatarbugcrowd logo
    harris_bugcrowd sent a message

    ()

  28. sparmar’s avatar
    sparmar resolved a blocker for Tesla by providing information on reproduction

    ()

  29. sparmar’s avatar
    sparmar sent a message

    ()

  30. harris_bugcrowd’s avatarbugcrowd logo
    harris_bugcrowd created a blocker on the researcher to provide information on reproduction

    ()

  31. harris_bugcrowd’s avatarbugcrowd logo
    harris_bugcrowd sent a message

    ()

  32. sparmar’s avatar
    sparmar sent a message

    ()

  33. Nick’s avatar
    Nick Customer sent a message

    ()

  34. sparmar’s avatar
    sparmar sent a message

    ()

  35. Nick’s avatar
    Nick Customer sent a message

    ()

  36. sparmar’s avatar
    sparmar created the submission

    ()