Insecure Toyota CRM exposed Mexican customer information

Eaton

News coverage:

Key Points / Summary

The GSPIMS hack I disclosed last month exposed a wealth of corporate data, but no customer data. In today’s writeup I am detailing the discovery of a Toyota CRM issue that left Mexican Toyota customer information exposed.

Toyota C360 CRM

Toyota maintains a “Customer 360” CRM. This page has a good definition of what that means:

Customer 360 refers to the creation of a master customer record by aggregating all data about that customer from across the organization. Customer 360 provides a trusted, single view of a customer’s name, address, contact information, gender, and interactions with a business. The view can include information about purchase history, billing, service issues, social presence, and channel preferences. Businesses can use this data to inform engagement strategies, customer journey steps, communications, personalized offers, and deliveries. A Customer 360 view enables organizations to derive value, achieve sustainable competitive advantage, and maximize new customer acquisition opportunities whether in-store or online.

In this case it’s simply an Angular single-page-application intended to manage Toyota Mexico customers. According to comments in the code, it was also used to manage US customers at one point. US customers are presumably managed in a different CRM now.

There were a few different versions of the CRM – 3 development/testing versions and 1 production version:

  1. https://c360.dev.customercentral.toyota.com/
  2. https://c360.qa.customercentral.toyota.com/
  3. https://www.devapp.customercentral.toyota.com/
  4. https://c360.customercentral.toyota.com/

At the time of writing, Toyota has taken all but site #1 offline.

Bypassing the login

When the production site (#4) was active, it would return a 403 error when you visited it. There was no way around it.

Undeterred, I discovered the development/testing versions of the site and decided to investigate those instead, and found that instead of returning a 403 error, it would ask for corporate login credentials:

The Angular JavaScript code initiates this redirect, so the first goal was to stop that from occurring. A few patches do the job nicely:

Stop the login redirect in main.js.
Return an empty, non-null account object in vendor.js to avoid errors and trick the app into thinking an account is logged in.

The homepage then loads:

Accessing production data

As stated previously, the production app is locked behind a 403 error. After analyzing the dev app, I managed to locate the dev, qa, and production API endpoints:

Secret API endpoints exposed via loading spinner settings, of all things.

The dev app I am working on is using the dev API, but it is trivial to update it to use the production API:

It’s worth noting that these APIs did not require an authentication token. They would return data to anyone who sent a well-formed request. The access token is saved to session storage, but it wasn’t actually used anywhere.

Toyota likely believed no one would find the production API endpoint since the production app was locked down, but it looks like their developers included it in the dev app. The API endpoints were included because ngx-ui-loader is used to enhance the loading experience in the app, and they excluded the API paths to avoid problems. There is nothing wrong with enhancing an app’s loading experience, but in this case, they accidentally exposed all their secret API endpoints across all environments.

The production and qa API endpoints use Amazon API Gateway and probably would have been impossible to find if they weren’t included in the dev app’s code.

With the login bypass and API change in place, it was possible to access production data.

Exploring the impact

The “C360 Profile” page is where all the interesting stuff is. It is basically a lookup tool where you can search for customers. Searching for customers yields a lot of results when you put in a common name (note the scrollbar):

Clicking on a customer shows all their information and service history:

That is basically everything that is interesting. This app is still in development and some sections are glitchy or unavailable. For example, the same service history was often duplicated across customers.

I would like to stress that I do not know how many customers are in this CRM. There wasn’t a user list – it was only possible to search for customers by name, ID, phone number, or email address.

The customer information appears to sync with Dealer Daily, which is the central system Toyota (and Lexus) dealers use to manage their business with Toyota.

Reporting to Toyota

The issue was reported to Toyota on October 30, 2022, and they responded later that same day confirming they received the report. On November 18, 2022, they confirmed the issue was remediated. I then informed them I would publish my writeup after the industry standard 90-day period has passed.

Toyota fixed the issue by taking some of the sites offline and updating the APIs to require an authentication token.

Basically a day after I reported the issue to Toyota, they took all the sites offline. I was impressed by how quickly they reacted. They likely spent the next few weeks making necessary security improvements and ensuring no one maliciously accessed any customer information. Toyota did not publish their own advisory regarding this issue, so it’s likely no malicious access was found.

There was no reward for this disclosure. Toyota currently does not offer rewards for security reports.

This is my last planned Toyota writeup for now, but who knows what the future holds! PS: If you/your company’s security team are currently hiring, feel free to say hello🙂.

Subscribe to new posts

Get an email notification every time something new is published.
📧