Car owner discovers security vulnerability in Volkswagen app
Information security expert Vishal Bhaskar has discovered a critical vulnerability in the My Volkswagen app, which could allow attackers to access personal data of car owners with just the vehicle identification number (VIN). The vulnerability affected only the Indian version of the app and Volkswagen has now fixed it.
Here's What We Know
Bhaskar stumbled upon the problem accidentally as a regular car owner. He purchased a used car and tried to connect to it through the app. However, the one-time password (OTP) required for confirmation turned out to be sent to the former owner's email. Unable to contact him promptly, Bhaskar started analysing the app's API requests and found that there was no lockout for incorrect password entry.
The researcher wrote a script that searched through all possible four-digit codes. In just a few seconds, the password was found and he was able to access the car's data. For this, Bhaskar only needed the VIN, which can be freely seen through the windscreen.
He didn't stop there and continued his research. According to him, one of the API endpoints returned logins, passwords and tokens to a number of Volkswagen services in the clear. Through another, he accessed service data, including signed contracts, payment information, and owners' personal details - names, phone numbers, addresses and emails.
Particularly alarming was the fact that through some endpoints, telematics data of vehicles, including their current geolocation, could be retrieved In some cases, the database even stored information on driver's licence details and emergency contacts. As Bhaskar emphasised, the extent of the vulnerabilities was "extremely serious".
The researcher approached Volkswagen with a report on the vulnerabilities found in November 2024. It was initially difficult to find the right representatives, he said, but four days after the first email, the company sent an acknowledgement of receipt. In May 2025, he received official confirmation that all the vulnerabilities found had been fixed.
Source: Loopsec/Medium
