Researchers have disclosed zero-day vulnerabilities affecting the BMW web domain and ConnectedDrive portal which remain unpatched and open to attack.
According to researchers from Vulnerability Labs, there are two main bugs both related to the BMW online service web app for ConnectedDrive, the connected car hub for new, internet-connected vehicles produced by the automaker.
The first flaw, found in the ConnectedDrive portal, is a VIN session vulnerability. The VIN, or vehicle identification number, is used to identify individual models connected to the service. The bug is found within the session management of VIN usage, and remote attackers can bypass validation procedures using a live session.
The session validation flaw can be exploited with a low-privilege user account, leading to manipulation of VIN numbers and configuration settings -- such as compromising registered and valid VIN numbers through the ConnectedDrive portal.
The second bug is a cross-site scripting vulnerability the researchers discovered client-side on the BMW web domain in the password reset token system. The researchers call the problem a "classic" cross-site scripting vulnerability, as the security flaw does not need privileged user accounts to be exploited; instead, "low user interaction" is needed through only a payload injection into the vulnerable module.
If exploited, attackers can inject malicious code into the domain's modules, potentially leading to session hijacking, phishing campaigns, or diverting users to malicious domains.
Vulnerability Labs first disclosed the security flaws to the German automaker in February this year. BMW responded to the reports in April. However, there is no evidence that these issues have been patched, leading to public disclosure on July 7.
ZDNet has reached out to BMW and will update if we hear back.