Security Architecture, Endpoint/Device Security, Endpoint/Device Security, Security Strategy, Plan, Budget, Vulnerability Management, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security

Bimmer worried? Two unpatched bugs in BMW portal

Vulnerability Lab researchers disclosed two upatched bugs in BMW domains and its ConnectedDrive portal that could allow remote attackers to bypass validation procedures and or inject malicious code.

A VIN (vehicle identification number) session validation flaw in the automaker's ConnectDrive portal can be exploited with a low-privilege user account and lead to the manipulation of VIN numbers and configuration settings, according to a July 7 disclosure.

Researchers also discovered a client-side cross-site scripting (XSS) vulnerability on the BMW web domain in the password reset token system that could potentially leading to session hijacking, phishing campaigns, or diversion of users to malicious domains, according to a separate July 7 disclosure.

Vulnerability labs disclosed the flaws to BMW in February 2016 and the German automaker responded to the reports in April 2016.

SCMagazine.com attempted to reach BMW for comment but it has yet to respond. 

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.