Toyota API security Breach: Unprotected internal endpoint led to privilege escalation

What happened?

A security researcher discovered a breach in Toyota's Global Supplier Preparation Information Management System (GSPIMS), which allows Toyota’s employees and suppliers to access and manage the company's global supply chain remotely. 

Shockingly, the researcher could freely access a vast amount of confidential documents, internal projects, supplier information, and other sensitive data. The researcher responsibly reported the issue to Toyota on November 3, 2022, and Toyota confirmed that the issue was resolved by November 23, 2022.

Breach Breakdown:

Toyota’s GSPIMS application is built using the Angular JavaScript framework. It utilizes specific routes and functions to control user access to different pages. The researcher discovered that by altering the JavaScript code for these functions to always return "true" values, they could gain unrestricted access to the app. Below image describes this:

Despite gaining access to the app, the researcher could not view any data as they were not authenticated by the app.

What happened next?

Step 1: Researcher discovered exposed internal endpoint

The researcher examined the app's code and searched for API keys, secret API endpoints, and other relevant information. In the user service function, they stumbled upon generateJWT() function that allows anyone to generate a JWT based on a provided email without the need for a password.

This is API7:2019 Security Misconfiguration categorized as Top 10 vulnerability under OWASP where an internal unprotected vulnerable endpoint was discovered.


The researcher then tested the createJWT API endpoint by sending an HTTP request to it. He discovered that corporate Toyota emails in North America followed a predictable format of firstname.lastname@toyota.com, making it easier to guess a valid email. The researcher searched for Toyota employees in the supply chain and found a potential match, using their names to formulate an email address. 

Finally, the researcher sent the createJWT HTTP request and received a valid JWT.

Step 2: Researcher performed privilege escalation

Next, the researcher escalated to a system administrator account by exploiting an information disclosure vulnerability in the API endpoint named findByEmail that returned information about a user’s account by just providing a valid email. They then elevated their privileges by locating and utilizing a sysadmin's email address. Classic case of privilege escalation!

The researcher could impersonate the system administrator and hence could view sensitive information such as classified documents, project schedules, supplier rankings, and the data of 14,000 users. Not only that, by impersonating the sysadmin, the researcher now had the ability to examine each user's projects, tasks, and surveys, make modifications to user details and delete data.

The most shocking aspect of this breach is that a malicious attacker could have quietly gained access to Toyota's system, copying confidential data without leaving any signs of unauthorized access or data stealing.

This breach highlights the growing importance of API security in today's digital landscape. In this case, the unprotected internal endpoint was a major vulnerability that enabled attackers to escalate their privileges and gain access to sensitive information. It is crucial for organizations to prioritize API security and take below steps to detect, fix and prevent such occurrences:

How to detect? 

  1. Maintain a regularly updated inventory of APIs. 
  2. If any unauthenticated API with significant capabilities are discovered, remove them from the source code. 
  3. Implementing a continuous testing and monitoring tool, such as Akto, can send alerts immediately if a security misconfiguration such as an exposed internal endpoint is detected in this case.

How to fix?

Upon detection of this endpoint, it should be added to the blacklist in the WAF. Collaborate with your development team to restrict access solely for administrators or remove it.

How to prevent?

In certain business cases, such endpoints may be necessary. In these cases, they should be deployed to a separate service and only made accessible through internal access points (e.g. VPN). The ideal solution is to identify and remove this endpoint during code review.

By taking the above steps, organizations can reduce the risk of a security breach and ensure that their APIs are secure and reliable.



What is Broken Object Level Authorization (BOLA)?

Broken Object level Authorization is the most severe API security vulnerability...
Read full post

What is XML External Entity attack (XXE attack) & How to prevent as a developer?

XXE is a vulnerability in XML processing that attackers exploit to access sensitive data. Learn all about XML External Entity attack and how to prevent it.
Read full post