Bimmer worried? Two unpatched bugs in BMW portal

News by Robert Abel

Vulnerability Lab researchers reportedly spotted two upatched bugs in BMW domains and its ConnectedDrive portal.

Vulnerability Lab researchers have disclosed two unpatched bugs in BMW domains and its ConnectedDrive portal that could allow remote attackers to bypass validation procedures or inject malicious code.

A VIN (vehicle identification number) session validation flaw in the automaker's ConnectDrive portal can be exploited with a low-privilege user account and lead to the manipulation of VIN numbers and configuration settings, according to a July 7 disclosure.

Researchers also discovered a client-side cross-site scripting (XSS) vulnerability on the BMW web domain in the password reset token system that could potentially leading to session hijacking, phishing campaigns, or diversion of users to malicious domains, according to a separate, July 7 disclosure.

Vulnerability labs disclosed the flaws to BMW in February 2016 and the German automaker responded to the reports in April 2016. attempted to reach BMW for comment but the company has yet to respond. 


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews