Lessons Learned: Internal applications need review too (Subaru STARLINK Admin Panel Vulnerability)

:man_technologist:t2: Hi all, Just wanted to share a new story I’ve added to my blog “AppSec Untangled”. This is the 5th episode of a series called “Lessons Learned” :books: which discusses real-world vulnerabilities from the eyes of an application security engineer, focusing on the underlying root causes of the vulnerability, and the measures we can take to avoid similar issues in our applications.

This episode discusses a write-up by the security researchers Sam Curry and Shubham Shah showing an authentication bypass vulnerability affecting an Admin portal used by internal Subaru employees for various administrative tasks related to the Subaru connected vehicle service.

Hope you find it useful

2 Likes

:man_facepalming: :grimacing:

I think another lesson is prepare for stupid design. Like you said: somebody should have caught that or at least found out later and cleaned up. Stresses the importance of educating developers in AppSec…