Toyota customer data accessed via CRM platform bug

Toyota's Customer 360 customer relationship management platform has a severe security flaw enabling access to the automaker's Mexican customers' personal data, according to SecurityWeek. After evading the CRM platform's authentication by altering Angular JavaScript code on the development/testing apps, security researcher Eaton Zveare was able to locate exposed API endpoints and modify the development app to leverage production API, allowing access to customer data, including their names, phone numbers, home and email addresses, tax IDs, vehicle history, and purchase and service data. "The production and QA API endpoints use Amazon API Gateway and probably would have been impossible to find if they weren't included in the dev apps code. With the login bypass and API change in place, it was possible to access production data," said Zveare. Such an issue has been resolved by Toyota three weeks after being notified by Zveare on Oct. 30. The report comes a month after Toyota's global supplier management network web portal was exposed by Zveare to allow data tampering and exfiltration.