A security researcher found an SQL injection vulnerability on Tesla’s website, which that when exploited gave unrestricted access to customer records as well as the administrative access to the entire site.
Bitquark, the researcher who discovered the SQL injection vulnerability along with multiple cross-site scripting (XSS) vulnerabilities, revealed that security on Tesla’s site made extensive use of Drupal and a few plugins. Overall the security is ‘pretty tight’ on the website revealed Bitquark in a blog post.
The vulnerability was present in the URL shortener used by Tesla in its Motors design studio using which customers can share their creations. “It was in this shortener that I found an SQL injection vulnerability, giving me access to Tesla’s backend database, including access to all online customer records and admin access to the site”, noted the security researcher.
The vulnerability was disclosed through the company’s responsible disclosure agreement and the researcher revealed that Tesla were quick enough to respond and requested “some technical details and a copy of the custom Python script I wrote to exploit the vulnerability” after the bug was reported. The vulnerability has been patched as of this writing.