Tens of thousands of cars were left exposed to thieves due to a hardcoded password

The maker of a popular vehicle telematics system has left hardcoded credentials inside its mobile apps, leaving tens of thousands of cars vulnerable to hackers.

Security updates that remove the hardcoded credentials have been made available for both the MyCar Android and iOS apps since mid-February, the security researcher who found this issue told ZDNet today…

According to a security alert sent out on Monday by the Carnegie Mellon University CERT Coordination Center, before the updates, any threat actor could have extracted these hardcoded credentials from the app’s source code and they could have been used “in place of a user’s username and password to communicate with the server endpoint for a target user’s account,” granting full control over any connected cars –such as locating, unlocking, and starting any connected cars.