California's digital license plates could be doing more harm than good in the foreseeable future.
A group of security researchers recently hacked the companion app and website of digital license late provider Reviver and attain "full super administrative access" to all user accounts.
The state of California legalized using digital license plates at the start of 2023, allowing car owners to use them instead of a traditional, state-issued license plate, per McGlinchey.
A digital license plate made by Bay Area company Reviver Auto, part of a pilot project with the state Department of Motor Vehicles, is displayed on Tesla car at Reviver Auto headquarters on May 30, 2018 in Foster City, California.
Reviver app, Website Vulnerability Details
Security researcher and bug hunter Sam Curry noted in a blog post that he and his group of friends were successful in acquiring full administrative access to all user accounts linked to Reviver's servers.
Curry mentioned that a Reviver license plate comes with a SIM card that remotely tracks and updates a car's digital license plate. It also lets customers remotely update their license plate's slogan, background, and set their plate tag to "STOLEN" should their car be carjacked.
Thanks to these features, Curry and his friends auditted Revivier's mobile app and searched for vulnerabilities. Unfortunately, the vulnerability they found allowed them to access everything related to a user's account on Reviver's server.
To do so, they proxied the HTTP traffic and found that all API functionality was done on the website "pr-api.rplate.com." After creating a user account, they opened the password reset URL and found that the website had a surprisingly huge functionality, with it allowing users to administer vehicles, fleets, and user accounts.
Read More: The 'Borderlands' Movie is Getting a Reshoot with 'Deadpool' Director Tim Miller
Curry and his friends also found in the password reset website's Javascript that it contains the names (though specialized ones) of the other roles that their account could be. These include names for user, moderator, and admin, among others.
They then changed their role parameter to the disclosed "CORPORATE" role after exploring the other roles defined in the Javascript and were successful. This change allowed them to invite other users to their modified account, granting them the required permissions since they were invited through an intended way instead of elevating numerous accounts to "CORPORATE."
Implications of Reviver's Vulnerability
Getting this kind of access means that they could track every car owner with a Reviver digital license plate, manipulate data on users' plates, and even tag their vehicles as stolen even if they're not, per Gizmodo.
The vulnerability even allowed other people to do the aforementioned illegal actions, raising the danger level presented by the digital license plates' vulnerabilities.
Additionally, they could even remotely update, track, or delete their victim's REVIVER plate. They could also access any dealer and update the default image used by the dealer when a newly purchased vehicle still had DEALER tags.
Curry had already informed Reviver of the vulnerability, allowing the company to patch it out in under 24 hours. The company even told Motherboard that it took further measures to prevent other people from doing the same in the future, per Vice.
Reviver added that the vulnerability had not been used, and that customer information had not been affected.
Related Article: Federal Regulators Probe Elon Musk For A Tesla Full Self Driving Tweet
