Usually when someone takes over a website, it’s thanks to some sly social engineering or vulnerability in the website itself. That’s not at all how a recent Tesla slip-up happened, though.
Instead, Tesla accidentally granted a random customer control over its official forums when the customer complained about their delayed Tesla vehicle delivery. That access allowed the customer the ability to edit or delete anyone else’s posts, as well as see the contact information for the forum’s 1.5 million users.
“The customer was inadvertently granted a higher level of permissions than he should have had to the Tesla forum,” a Tesla spokesperson told Motherboard in an email on Monday. “We revoked the access as soon as it was reported, and made other changes to adjust privileges accordingly following a full audit.”
This bizarre story starts with Dan, the CEO of travel website DansDeals.com, who recently posted on the Tesla owners’ forum about some of the delivery issues with his car. Oddly, when Dan tried to edit the post, the thread disappeared entirely, according to a blog post Dan published over the weekend. It turned out Dan didn’t have an “owners” account, and could only make one thread on the forum per day. He contacted customer support to solve the issue.
“So I called Tesla and asked the agent to please list me as an owner on the Tesla Forums,” Dan wrote. “The agent had no idea what ‘forums’ meant. I explained that they were on Tesla.com, but sure enough, there is no link on Tesla’s site to the forums. I said to type in forums.tesla.com and the agent said she would pass on my request to her IT department.”
The IT department, it seems, may have taken the request a bit too literally.
A short while later, Dan noticed he “had the ability to edit and delete everyone’s posts! Then I looked at the top of the page and noticed the admin bar. Something very strange was going on here,” his post continues.
“But this was much bigger than that. I clicked on the People option and was able to view the contact information of over 1.5 million account holders,” Dan adds. He was even able to search for particular people, and found neighbours and friends with Teslas, Dan claims. He believes he found Elon Musk’s own account, who last logged in some three and a half years ago.
“Clearly he prefers Twitter,” Dan wrote. At one point, Dan accidentally removed thousands of threads when he republished, and then unpublished, his rogue thread that had started the series of events in the first place.
Dan also found a number of personal, non-Tesla email addresses linked to accounts with high privileges across the forum. Tesla told Motherboard these were former employees. Tesla said it has now downgraded those accounts.
Tesla asked Dan to submit the issue more formally through the company’s bug bounty program. The submission is still being processed, according to Dan’s post.
“Our bug bounty program is set up specifically to encourage this type of reporting, as well as more in-depth research from the security community,” the spokesperson told Motherboard.