Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Sam Curry and friends had pwned the auto industry for fun multiple times. This time, they set their eyes on Subaru.

The initial tests around the main Subaru mobile app didn't lead to anything. It was well secured. After talking with Shubs about this, Shubs discovered a website that Sam hadn't seen before - subarucs.com. Upon looking at subdomains of this, they found a website that had the title STARLINK Admin Portal.

Not the Elon Musk Starlink - it's the name of the Subaru in-vehicle infotainment system for remote functionality. With no login creds, it wasn't very interesting. While reading the JavaScript, they found both starlinkEnroll.js and login.js that included references to a password reset.

The JavaScript used for the password reset functionality had ZERO confirmation token on it. If this functionality worked as it looked in the JS, then a single POST request could reset the password of an internal employee account. Unfortunately, this required a valid email which they didn't have - but it DID work for enumeration.

This had 2FA - literally just the city you lived in. Luckily for them, the 2FA was client-side enforced only. Now, they could login with this users account with the password that they had set.

On the website, they were able to track a users exact coordinates for the last year. It contained a vehicle search based on a lot of criteria as well. The panel allowed for attachment to an account without the consent of anyone. So, they used this to attachment their account to a friends car then remotely started executing commands. Wild!

Two fairly simple bugs. To me, the asset discovery and reverse engineering of the web page are interesting to me. In web3, virtually everything is open source so this process is super fascinating to me.