A security researcher has uncovered serious vulnerabilities in Volkswagen’s connected car ecosystem. He revealed how loopholes in the company’s mobile app could allow unauthorized access to sensitive user data, and in some cases, remote control over vehicles. The flaws exposed critical security gaps in how Volkswagen handles user authentication, vehicle data, and backend services.
The discovery was made by Vishal Bhaskar, a cybersecurity researcher, who stumbled upon the vulnerabilities after purchasing a pre-owned Volkswagen in 2024. While trying to link his car with the official My Volkswagen app, Vishal encountered an unexpected roadblock. The app required an OTP sent to the previous owner’s phone. This small issue made him look deeper into the system, and he soon discovered several serious security flaws.
After failing to reach the former owner and with no way to retrieve the OTP, Vishal decided to try his luck with a few random 4-digit codes. Surprisingly, the app did not lock him out, even after 10–15 failed attempts. This behavior triggered his instincts as a security professional — what would happen if someone brute-forced all 10,000 possible combinations?
He then used Burp Suite to check the app’s network activity and wrote a Python script to brute-force the OTP. Once inside, he discovered several critical issues in the system.
- Vulnerability #1: Internal Credentials in Cleartext
One endpoint was exposing internal usernames, passwords, tokens, and even credentials for third-party services like payment processors and Salesforce — all in plain text. - Vulnerability #2: Personal Details Exposed via VIN
Using just the Vehicle Identification Number (VIN), another API endpoint revealed complete customer profiles, including names, phone numbers, email addresses, postal addresses, registration details, and more. These were tied to service and maintenance records. - Vulnerability #3: Full Vehicle Service History Accessible
A separate endpoint allowed access to full service history, customer complaints, and dealership interactions. This data is accessible to anyone who knows the VIN, which is typically visible through the car windshield. - Additional Data Leaks
Some endpoints even exposed telematics data, education qualifications, and driving license numbers. In the wrong hands, this information could be used to track a user’s movements, impersonate them, or target them in phishing scams.
Vishal warned that these flaws could have dangerous real-world consequences. Anyone with access to a car’s VIN could potentially add that car to their app, access telematics and location data, and retrieve detailed personal information about the owner. This kind of exposure makes users vulnerable to stalking, identity theft, or scams. A criminal could pose as a dealership representative with access to legitimate data, or worse, attempt to track and control the car remotely if additional features were exploited.
Vishal responsibly disclosed the vulnerabilities to Volkswagen on November 23, 2024 and the company acknowledged the report on November 27. With a proper open communication for a few weeks, the company patched all vulnerabilities. While Vishal did not receive a bug bounty, he expressed satisfaction in helping secure a widely used system.
This case is a strong reminder of how internet-connected features in modern vehicles can introduce new security risks. As cars become smarter, the systems that power them must be built with the same security standards we expect from financial or medical platforms.
