
Vulnerability in Tesla Website Used to Find Details of 8500 Cars in US Inventory - sschueller
https://twitter.com/JakeLangford6/status/1097688632809455616
======
rconti
Notice this guy joined Twitter in December.

There was a similar "order site" hack back when we were waiting for delivery
of our car. I can't remember precisely, but there was a way of finding some
hidden status info in the JSON.

I'm extremely suspicious of his conclusions -- particularly the one saying
there are tons of RWD Long Range cars just sitting around for... reasons. It
doesn't pass the sniff test. They stopped making them last year -- he says
October, I thought it was even earlier. You're telling me, at the end of the
summer, when they were just catching up with demand, they discontinued the LR,
and just haven't bothered to try to sell any of them since then? Nobody's
willing to pay a few thousand more than the MR for the LR battery? Nobody's
willing to save a few thousand on an AWD LR, by dropping the 2nd motor?

Let's be really clear here -- Tesla is NOT SELLING an RWD LR 3 in the US at
this stage. The claim that they have them in inventory but aren't selling them
just beggars belief. To what end? To drive slightly higher margins on the AWD
LR 3? At the cost of having inventory just sitting around rotting?

I also wonder if he's sure they're US cars. For 3 weeks solid I saw at least
one transporter full of Euro-spec 3s going up 101 to SF to be shipped
overseas. Some days I saw 2 or even 3 transporters, which is impressive since
I only spend maybe 30mins a day on 101. I'm sure as US demand softened, they
built up inventory of cars to ship to Europe where there's still pent-up
demand, so maybe that's what the inventory was?

Clearly the tweeter is claiming demand is so soft that they can't sell them,
and I certain't don't think this purported excess of LR RWD inventory holds
water.

~~~
meritt
> Notice this guy joined Twitter in December.

Leakers have good reason to protect their identity. Especially when Tesla fans
get so clearly agitated about anything that can be even remotely construed as
negative toward Tesla and/or Musk.

> particularly the one saying there are tons of RWD Long Range cars just
> sitting. The claim that they have them in inventory but aren't selling them
> just beggars belief.

Why do you need to be "suspicious" of something as obvious as the below. These
are just 3 examples that appear like you can place the order. Those are all LR
RWDs (they only comprise 2.4% of the dataset, so I agree that LR RWDs are
basically non-existent)

* [https://3.tesla.com/model3/order/5YJ3E1EA7JF136358](https://3.tesla.com/model3/order/5YJ3E1EA7JF136358)

* [https://3.tesla.com/model3/order/5YJ3E1EA9JF118167](https://3.tesla.com/model3/order/5YJ3E1EA9JF118167)

* [https://3.tesla.com/model3/order/5YJ3E1EA0JF062734](https://3.tesla.com/model3/order/5YJ3E1EA0JF062734)

> I also wonder if he's sure they're US cars

The sixth digit in the VIN is a '7' for European cars and '1' for North
American Model 3s. 100% of these VINs have a '1' in the sixth position.
There's also 10,848 vehicles listed, quite a few more than the 8500 in the
headline.

> For 3 weeks solid I saw at least one transporter full of Euro-spec 3s going
> up 101 to SF to be shipped overseas.

Yes, they have sent 5 ships to Europe and 4 to China so far. Estimates are
2,500 cars per ship. A 10th ship just arrived on Sunday. So yes that's ~25,000
cars going to Pier 80 in San Franciso so far this quarter.

~~~
rconti
Thx for the VIN info!

Unfortunately, as mentioned, Tesla 404'd those links. I'm just not sure why
I'd believe this data is correct. At least when Tesla was backlogged for US
orders, VINs weren't assigned until a few days before delivery. As another
commenter pointed out, they have a number of systems that seem to not agree
with each other. The twitter thread's mocking "who wants to buy a flooded car"
post is written as if he's caught some nefarious plan to sell an un-saleable
car, when, in fact, it just seems to be further evidence that the data is
garbage. Not to say it's not legitimate, just that it's not GOOD.

It just seems so silly for this guy to suggest that Tesla is a garbage
incompetent company on the verge of perennial bankruptcy, but some web portal
is clearly the Source of Truth of all inventory data, and couldn't possibly be
in the sort of disarray they accuse the rest of the company of being.

~~~
meritt
My guess is the inventory data itself is real but stale. The developer was
using a static dataset to build out the forthcoming "purchase cars from
inventory" and it was inadvertently pushed production before it was ready. So
the dataset is a mixture of actual inventory cars and cars that had been
produced but simply hadn't been received by the new owners as of the snapshot.

------
danhak
So...about 1.5 weeks of production at current levels?
[https://www.bloomberg.com/graphics/2018-tesla-
tracker](https://www.bloomberg.com/graphics/2018-tesla-tracker)

...and significantly less than that when subtracting display models, test
drive and loaner fleet.

The 8,500 figure doesn't seem alarming to me. Can anyone shed light on why OP
is spiking the football as if he's uncovered some huge scandal?

~~~
giarc
Likely has to do with the tweet most of the way down [0]. However, that tweet
has to do with used models and the rest of the tweet storm seems to deal with
new models... unless I'm missing something.

[https://twitter.com/JakeLangford6/status/1097688650035462144](https://twitter.com/JakeLangford6/status/1097688650035462144)

------
syntaxing
I wonder if you can use this to predict the Tesla stock price for Q1 (or Q2)
of 2019. For instance, does a large influx of inventory mean that there's a
good chance that they will beat their estimated earnings within Q1 or Q2?
Since they converted their cash flow to so many assets, once the asset gets
converted back into cash, Tesla's number should look great for that particular
quarter (?).

E: Hmm, Tesla sells over 16000 cars a month so these numbers might be
insignificant.

~~~
jason_slack
but shouldn't one backtest this with data from other quarters just to see if
there are any technical indicators? :-) Nice thought, btw. Let's explore it. I
shorted Tesla back in April and October 2018.

------
fenwick67
Do they really know these are actually sitting in inventory and "available for
delivery"?

You can't know if the API is actually giving you info on actual cars that were
created and are sitting around.

~~~
teej
I'll say this much as a new Tesla owner - they have at least 3 systems. Their
internal system which drives anything you see on tesla.com or the app,
Salesforce for tracking customer interactions and the source of truth for some
order state, and third party freight platforms used for shipping cars around.
These systems do not automatically sync and require human intervention to keep
up to date.

I originally test drove in Boston and placed my order there. I informed them I
would take delivery on the west coast and they set that up for me. I later
found out about the three systems when my car was weeks late for delivery. No
one seemed to know where it was or where it was headed. Tesla's internal
system said it was en route to Hayward, CA. Salesforce said it was headed to a
different location that turned out doesn't do deliveries. The shipping company
said the car was headed to New York. The car's GPS pinged it to a railroad
track in Georgia.

My experience is an outlier, but it does indicate that these APIs might not
always be correct.

------
Arzh
Is an open api really a vulnerability?

~~~
Something1234
Yes, if it goes against corporate policy...

Security is like 90% policy.

------
tdhz77
I really don’t understand the hate towards Elon / Tesla on Twitter? Can
somebody explain? I understand finding truth, but some of these truth finders
seem like they go into the extremes to knit pick everything as evidence of
their theory.. am I wrong? What am I not seeing? $Tesla vs TE$LAQ?

~~~
newnewpdro
Short sellers bet on a stock like TSLA being severely overvalued, thus are
incentivized to dig up all the dirt they can to compel the market to sell off
their shares and drive down the stock price.

~~~
__blockcipher__
Beware this narrative. There are many with legitimate concerns around
fraudulent activity (SCTY acquisition, “funding secured” tweet), as well as
Musk’s highly unstable behavior (pedophilia accusations, etc etc). It’s not
solely those with financial incentive.

And no, I’m not a Tesla hater. Just someone who wishes Tesla lived up to their
own image.

~~~
newnewpdro
It's not like I said shorts invent illegitimate claims. They're just the most
incentivized to dig it up and make it as visible as possible. In my experience
it's quite often legitimate, though frequently blown out of proportion for
obvious reasons.

------
Dirlewanger
Why would anyone own any Internet-connected vehicle in their current states?
New vulnerabilities are found every other week. Why are there 0 safety
standards around this? You'd think regulatory bodies would take something like
connecting metal death boxes to the Internet more seriously, but it doesn't
help when they're staffed either with useless idiot boomers who struggle with
opening Excel files or uncaring lobbyists who were working in the private
sector the year before.

~~~
dang
> _useless idiot boomers_

In addition to what I just asked you
([https://news.ycombinator.com/item?id=19210265](https://news.ycombinator.com/item?id=19210265)),
please don't post slurs like this to HN.

