From OTP problem to discovery: How a car buyer found VW's app vulnerabilities
A security researcher from India only wanted to access the app functions of his vehicle. In doing so, he discovered security vulnerabilities in the VW app.
(Image: skovalsky/Shutterstock.com)
An Indian security researcher has discovered significant security vulnerabilities in the "My Volkswagen" app. Simply by entering the vehicle identification number (VIN), he was able to retrieve extensive data about vehicles via the smartphone app's API. The car manufacturer from Wolfsburg has since closed the loopholes following his tip-off, he reported in a blog post.
Vishal Baskar, who goes by the name loopsec in his Medium blog, had a problem after buying a used car: when he wanted to access his vehicle's data using the manufacturer's smartphone app, he had to enter a one-time password (OTP). However, this ended up on the previous owner's smartphone, which did not respond to calls.
OTP problem as the first clue
However, a closer look at the app aroused the curiosity of the technology enthusiast. Despite various incorrect entries of the OTP number, the phone was not blocked. Baskar then installed the Burp Suite software to be able to read the app's API calls on his iPhone. In fact, he found out that an unlimited number of attempts were possible, so that he was finally able to determine the correct number using a Python script and gain access to his car.
But more than that, according to his documentation, he discovered that open API endpoints revealed data such as passwords, tokens and usernames in plain text. Using only the car's identification number, he was also able to access information about service and maintenance packages – and was able to view names, phone numbers, addresses, emails, vehicle details and contract information, he reports.
VW responded with a letter of thanks
He was also able to access the complete workshop history and vehicle telematics data via the API. According to him, the gaps could have been used to control the vehicle's location remotely, for example for stalking. It would also have been possible to commit fraud with the detailed personal information.
Baskar contacted Volkswagen with these findings in November 2024. In addition to the difficulty of finding the right contact person, it took a while for the defects to actually be remedied. He received confirmation on May 6, 2025. In a letter that he published on his blog, the car manufacturer expressly thanked him for his support. Although he did not receive a reward, he is pleased to have made a contribution to the product safety of a common everyday item, writes Baskar.
heise online has asked Volkswagen for a statement and will provide one later in this article.
(mki)
