BLUE

JJ

james jorts

@inaudible.bsky.social

no book in the world brings together so much whale.

21 followers168 following173 posts

JJinaudible.bsky.socialSep 26, 2024 6:55pm

oh my god. it's just an API with no authn

The Kia hacking technique the group found works by exploiting a relatively simple flaw in the backend of Kia's web portal for customers and dealers, which is used to set up and manage access to its connected car features. When the researchers sent commands directly to the API of that website—the interface that allows users to interact with its underlying data—they say they found that there was nothing preventing them from accessing the privileges of a Kia dealer, such as assigning or reassigning control of the vehicles' features to any customer account they created. “It’s really simple. They weren't checking if a user is a dealer,” says Rivera. “And that's kind of a big issue.”

IGdadback.bsky.socialSep 27, 2024 10:34am

This is like if accessing your email account just required knowing the email address

DCdingokayfabe.bsky.socialSep 27, 2024 1:02pm

Wow that’s some KIAstone Kops shit right there

natmfat.bsky.socialSep 26, 2024 8:39pm

who even developed and approved this? an overworked intern?

Aandrewwmiller.comSep 27, 2024 11:28am

For clarity, it has authentication, it doesn't have an extra tier for dealer vs user.

Mmotown.bsky.socialSep 27, 2024 11:19am

All your Kia are belong to us.

JJinaudible.bsky.socialSep 26, 2024 7:01pm

I wish we had more precise terms than "flaw" and "exploit" that gave the public a sense of how incredibly stupid this is

JJ

james jorts

@inaudible.bsky.social

no book in the world brings together so much whale.

21 followers168 following173 posts

Home Popular Explore