You may remember that last week we covered a story about a young cybersecurity researcher and hacker who announced that he had gained control of two dozen Tesla vehicles. He was able to do it by using APIs (application programming interfaces, which is basically software that allows applications to communicate) and now he says he can learn owners’ emails by using the same technique.
With the first vulnerability that he uncovered, David Colombo waited to be contacted by Tesla after posting his findings on Twitter. He eventually was contacted by the manufacturer, although we don’t know if he had already found a way to see the emails when talking to Tesla.
According to Automotive News,
Colombo said the defect was in a Tesla application programming interface, or API. After he publicized his first discovery, a Twitter user suggested contact details for the affected owners could be found in the code that allows two pieces of software to communicate with each other, also known as an API endpoint.
The hacker, who is 19 years-old and lives in the small historic German town of Dinkelsbühl, told Bloomberg that
Once I was able to figure out the endpoint, I was indeed able to carry the email address associated with the Tesla API key, the digital car key.
You shouldn't be able to carry sensitive information like an email address using an access that is already expired or revoked.
Now he says he is waiting to receive ‘a big bounty’ from Tesla for notifying the manufacturer about these vulnerabilities, although the source says this has not been agreed upon yet. Back in 2020, Tesla announced it was offering $1-million and a free car to security researches who found bugs in its systems, which is surely what got David Colombo interested in the first place.