How a Big Rock Revealed a Tesla XSS VulnerabilityBug Hunter Sam Curry's Find Left Tesla Slightly Red-Faced
Software vulnerabilities sometimes have an uncanny knack of revealing themselves, even when a bug hunter is looking someplace else.
Sam Curry's find wouldn't have been revealed except for an unfortunate circumstance: A big rock cracked the windshield of his black Tesla 3 while driving through Colorado. The rock, however, eventually led to Curry collecting a $10,000 bug bounty from the electric car company.
"I think they were almost embarrassed when I reported this because the way they reacted to this was 'Aw jeez.'"
Curry, a 19-year-old who runs a web application security consultancy called 17security LLC near Omaha, Nebraska, had been trying to hack his Tesla 3 for a few months. He focuses on finding bugs for bounties.
When he eventually found a bug, Tesla's security team responded immediately to his report and quickly fixed the problem.
"Their security team was absolutely fantastic," Curry tells me. "I think they were almost embarrassed when I reported this because the way they reacted to this was 'Aw jeez.'"
What's in a Name? XSS
Curry writes in a blog post that he'd been trying to find a flaw within Telsa's web browser, which is a pared-down version of Google's Chromium.
Then in April, he experimented with naming his Tesla. Owners can assign their car a nickname, which is displayed in the mobile app. Curry set his car's name to "%x.%x.%x.%x."
That's a type of format string attack. A vulnerable application may try to execute the string, causing unintended consequences. At one time, BMW's 2011 330i was vulnerable to this kind of attack, which could remotely crash the multimedia software due to an issue with its Bluetooth stack , designated CVE-2017-9212.
But the naming approach didn't work. So he decided to change the car's name to a cross-site scripting payload that came from XSS Hunter, a tool for finding these types of vulnerabilities.
Nothing happened, or at least not right away. Curry says he had a month of free time earlier this year and decided to drive across the U.S.
"I went on this super long - probably like 70 hours of driving - road trip," he says. "We were driving through Colorado and this rock just crack my windshield. I was pretty bummed out."
He filed a support note through Tesla's mobile app, which connects to the car, and resumed his trip.
The support request with his unorthodox car name caused the XSS payload to fire on the domain "garage.vn.teslamotors.com." Bingo. On Tesla's end, a support rep had just pulled up the live diagnostics from Curry's car on a support dashboard.
XSS Hunter sent an email notification with the URL of the vulnerable page as well as a screenshot, which showed the dashboard that had diagnostic information on the state of Curry's vehicle. The URL contained part of his car's VIN, which potentially could be incremented via an insecure direct object reference flaw (see Security Flaw Exposed Valid Airline Boarding Passes).
Curry says the dashboard application also has a public version, but what he saw was a screenshot of the internal one. He thinks it may have been possible to pull a cookie and access the public version, which may have allowed him to interact with any vehicle. Support representatives also use the dashboard to push software updates to Teslas.
"You could have pretty much pulled live information from any vehicle in that panel," he says.
Tesla triaged the bug and released a hot fix within 12 hours, he writes. Tesla paid Curry a $10,000 bounty in about two weeks.
One question remains, however. Curry posted the screenshot of his vehicle's diagnostic information that was sent to him by XSS Hunter.
His speed at 3:09 p.m. on June 19 was 81 mph. Hmm.
I asked Curry where he was in Colorado. He told me: "Somewhere where the speed limit's 81 mph. One of those big highways. I was on the autobahn."