Car manufacturer Toyota as been alerted to a severe vulnerability in its web portal for the global supplier management network. According to Toyota, security researcher Eaton Zveare detected the vulnerability and was able to exploit it to gain access to sensitive information. The impacted web portal provides Toyota employees and suppliers with information about ongoing projects, surveys, and purchases.

Zveare stated that the vulnerability is an authentication error that allows access to any account using a valid email address. Toyota’s web portal contained a function that allowed users to generate an authentication token based on the email address provided without a password. Corporate Toyota email addresses are easy to guess as they follow the same format. Therefore, Zveare was able to exploit the vulnerability by guessing an email address and using open-source research to identify Toyota employees involved in the supply chain management aspect of the company.

