Auth.Tesla.com Account Takeover of Internal Tesla Accounts

Disclosed by
evanconnelly
  • Engagement Tesla
  • Disclosed date over 1 year ago
  • Points 40
  • Priority P1 Bugcrowd's VRT priority rating
  • Status Resolved This vulnerability has been accepted and fixed
Summary by evanconnelly

Tesla has two Identity Providers (IDPs), auth.tesla.com for external users and sso.telsa.com for employees. Tesla Retail Tool (TRT) allows logins from both and was not checking what IDP the user logged-in with (auth.tesla.com vs sso.tesla.com). This made for a condition where via Google Dorks, I was able to identify names and extrapolate email addresses of former Tesla staff and then register accounts with the external IDP using the email addresses of former employees whose accounts had been disabled on the internal IDP but who still had privileges defined by their internal Tesla email address within TRT and ultimately log into TRT with the privileges of those users.

Activity