ConnectedDrive is the name of BMWs in-car infotainment system.
This service also has a equivalent for the Web, in addition to the mobile apps.
The VIN is the identification code assigned to each vehicle while accessing the service.
In this way, they can manipulate registered and valid VIN numbers and configuration tweaks through the ConnectedDrive portal.
The vulnerability is located in the session management of the VIN adding procedure.
Remote attackers are able to bypass the secure validation approval of the VIN when processing to create it.
In case of the adding procedure the request approve via action add the context.
states the security advisory from the vulnerability-lab.
Remote attackers are able to change with a live session tamper the action information to create or update.
Thus allows an attacker to bypass the invalid VIN exception to add a new configuration finally.
Thus interaction results in the takeover of other vehicle identification numbers to view or manipulate the configuration.
A client-side cross site scripting web vulnerability has been discovered in the official BMW online service web-software.
The attacker injects the payload after the secure token to execute the context in the passwordResetOk.html file.
The vulnerability is a classic client-side cross site scripting web vulnerability.
Mejri first disclosed the security flaws to the German automaker in February 2016.
BMW responded to the reports in April.
source: www.techworm.net
