myHyundai for dealer App misconfiguration

App used by car dealers in Europe was exposing over 25,000 files publicly

Dec 12, 2024

What is myHyundai for dealer App?

myHyundai for dealer is an App released by Hyundai Motor Europe for their European dealers to keep in touch with their clients, released on December 2023 and with over 1,000 downloads on Google Play.

“myHyundai Dealer App brings Hyundai customers and dealers into one place. Keep in touch with your customer regarding buying, selling or owning a Hyundai. Through myHyundai Dealer App, you will be to attend to customer requests whether you are at your desk or on the go.” according to the apps Google Play page.

Finding the exposed data

On October 28th while looking at some logs of servers I had recently found listing files publicly, I noticed a server with car ownership documents and drivers licences photos inside and I could see the name and files were related to Hyundai but wasn’t sure if this came from the company itself or some 3rd party so I looked further until I noticed a file that was directly linked to a Hyundai Google Play App.

Looking at my logs for this service, I only see one entry for this server on October 23rd, how long was the server exposed before I logged it is something only Hyundai would be able to tell.

What was exposed?

Text within this block will maintain its original spacing when published
File count: 25,637
Size: 21.65 GB

I do not have redacted images of what was exposed as Hyundai asked me to delete anything I downloaded and looks like I deleted the redacted pictures together with the rest of the data but I’ll explain below what I saw.

The images on the server contained mostly photos taken of Hyundai car ownership documents with a few drivers licences exposed too, I do not have exact counts of each but I saw documents related to at least the countries below:

Czech Republic
Italy
Poland
Netherlands
Norway

Notifying Hyundai

On October 28th I sent an email to Hyundai Europe branch with all the information as all the PII exposed I saw came from European countries.

The next day I got a reply from HMC/KIA PSIRT (Product Security Incident Response Team) who told me they were passing this internally to the relevant parties.

On October 30th the server stopped accepting any kind of unauthorized request.

Email sent by Hyundai PSIRT team transcription: Dear JayeLTee Thank you for the report. This is HMC/KIA PSIRT. We’ve acknowledged your report and will internally deliver this issue to the relevant parties. We may additionally contact you for more information. — Initial response by HMC/KIA PSIRT Team

After not hearing back from anyone, on November 4th I sent another email asking if there was anything else Hyundai needed from me and what was their intention regarding disclosure.

The next day I got a reply that stated some of the steps they took to fix this issue and that any updates regarding this would be shared through the App, the email also said they involved their internal data protection experts to investigate this report and asked me to delete anything I had downloaded regarding this, which I did and let them know about it.

Response from Hyundai where they state the steps taken to fix the issue I reported to them and where they ask me to delete any data I had downloaded related to this. — Hyundai response to my follow up email after everything got fixed

Final notes

I couldn’t find this server indexed in any of the websites I have access to that scan for exposed services, this came from a private feed and it’s likely no one else stumbled upon this server, that’s something only Hyundai themselves would be able to confirm though.

Even though there wasn’t much of a proactive attitude from the company when it came to communication, every time I emailed them I always got a reply and everything got solved pretty fast, that’s all I want from companies when I’m contacting them, acknowledge my emails and fix your misconfiguration.

The Hub of Stupi.. *misconfigs

Comments