Account Takeover of Internal Tesla Accounts

Disclosed by
  • Program Tesla
  • Disclosed date about 1 year ago
  • Points 40
  • Priority P1 Bugcrowd's VRT priority rating
  • Status Resolved This vulnerability has been accepted and fixed
Summary by evanconnelly

Tesla has two Identity Providers (IDPs), for external users and for employees. Tesla Retail Tool (TRT) allows logins from both and was not checking what IDP the user logged-in with ( vs This made for a condition where via Google Dorks, I was able to identify names and extrapolate email addresses of former Tesla staff and then register accounts with the external IDP using the email addresses of former employees whose accounts had been disabled on the internal IDP but who still had privileges defined by their internal Tesla email address within TRT and ultimately log into TRT with the privileges of those users.