Particle.news

Download on the App Store

Volkswagen App Flaw Exposed Vehicles and User Data Through VIN Exploit

A critical vulnerability allowed attackers to brute-force OTPs using VINs, exposing sensitive data; VW patched the issue, but risks persist on outdated app versions.

Image
Image
Image

Overview

  • Security researcher Vishal Baskar discovered the flaw in Volkswagen's smartphone app in November 2024, which allowed access to vehicles and personal data using the Vehicle Identification Number (VIN).
  • The vulnerability stemmed from an unprotected OTP system, enabling brute-force attacks to guess four-digit codes without restrictions or timeouts.
  • Exploiting the flaw could expose sensitive user data, including home addresses, phone numbers, email addresses, and vehicle telematic information such as engine status and fuel levels.
  • Volkswagen deployed fixes by May 2025, updating backend systems and patching the server-side flaw, but older app versions remain theoretically exploitable.
  • The incident highlights broader security challenges in connected-car platforms, as public VINs and weak API controls create significant risks for user privacy and safety.