! ConnectedDrives is the BMW car infotainment system, The system can move the APP to manage the vehicle. In addition to the APP, the system also provides a complete Web application. Vulnerability lab security researcher BenjaminKunz Mejri in to the BMW official submission of a vulnerability five months after the official still haven't patched that yesterday announced ConnectedDrive two Web 0day vulnerabilities. Vulnerability 1: VIN session hijacking This is a session vulnerability, a malicious user can take to obtain another user's VIN Vehicle Identification Number on. VIN of the vehicle matches the user account ID Number, the VIN code is used for the ConnectedDrive set up a backup to their own account. On the Web site to change these settings, the system will change the Sync to the car and even into the mobile APP. Mejri said he this attack can bypass the VIN session authentication, and then use another VIN access to edit other users of the car set, the specific process is as follows: 1. Open the BMW connecteddrive WEB interface, and then perform the login operation: https://www.bmw-connecteddrive.co.uk/cdp/ 2. Browse My Settings module 3. Start running the session tamper, comprising a new random VIN 4. Save the request, and to manipulate the session tamper, add the required value 5. Continue to make a GET request 6. Now the module is opened, and the VIN code restrictions will be bypassed. 7. You can now to the interface to add your own VIN, with the same VIN code to add another car Here, you'll be able to successfully reproduce this affect the BMW connecteddrive vulnerability. ConnectedDrive settings have to unlock/lock the vehicle's function, but also includes management, song playlist, access e-mail accounts, route planning, and access to real-time traffic information and the like of a plurality of utility modules. Vulnerability 2: The ConnectedDrive system a WEB - XSS The second vulnerability occurs on the portal page to reset the password, which is passwordResetOk. html file. Remote operation of the hack can be your own payload in order to GET sent to the past, is injected into the client WEB interface. The PoC are as follows: https://www.bmw.de/de/publicPools/landingPages/passwordResetOk.html?t=OiWU9ARpVXDXDjlRJ3tS6XxgnOvkFzRK%22%3E%3C[CLIENT SIDE SCRIPT CODE INJECT!] iframe%20src=a%20onload=alert%28document. cookie%2 9% 2 0%3C ThisXSSvulnerabilities can be used to steal cookies, with the CSRF attacks, phishing attacks, and so on. Mejri said he has worked in 2 0 1 5 year 2 month the BMW official presented these two vulnerabilities, but the official did not timely respond to his report. As a result, the researchers choose to disclose his discovery. If you want to know more details, you can look here: the first vulnerability and the second vulnerability. ! About a year ago, security researcher SamyKamkar has revealed that his OwnStar car, hacker Toolbox, can also be used to attack the BMW remote services.