Teen Tesla Hacker Accessed Owners’ Email Addresses to Warn Them

The 19-year-old cybersecurity researcher who remotely accessed dozens of Tesla Inc. vehicles through a third-party flaw, has a new trick: hacking the car owners’ email addresses to notify them they’re at risk.Earlier this month, David Colombo discovered a flaw in a piece of third-party open source software that let him remotely hijack some functions on about two dozen Teslas, including opening and closing the doors or honking the horn. In trying to notify the affected car owners, he then found a flaw in Tesla’s software for the digital car key that allowed him to learn their email addresses.

Colombo said the defect was in a Tesla application programming interface, or API. After he publicized his first discovery, a Twitter user suggested contact details for the affected owners could be found in the code that allows two pieces of software to communicate with each other, also known as an API endpoint.

“Once I was able to figure out the endpoint, I was indeed able to carry the email address associated with the Tesla API key, the digital car key,” Colombo said in an interview Monday with Bloomberg Television. “You shouldn’t be able to carry sensitive information like an email address using an access that is already expired or revoked.”

The teenager, from Dinkelsbühl, Germany, said he has shared the additional vulnerability with Tesla, and the car company’s engineers have written a fix to prevent it from happening in the future.

Tesla didn’t respond to a request for comment. Colombo said his additional discovery should be eligible for a “bug bounty” from Tesla — consistent with the company’s policy — but officials there haven’t confirmed an amount with him. He joked that he hopes the sum is big enough to cover the coffee bill he’s amassed working on the original flaw the last two weeks.

Cookie	Duration	Description
__cfduid	1 month	The cookie is used by cdn services like CloudFlare to identify individual clients behind a shared IP address and apply security settings on a per-client basis. It does not correspond to any user ID in the web application and does not store any personally identifiable information.
_GRECAPTCHA	5 months 27 days	This cookie is set by Google. In addition to certain standard Google cookies, reCAPTCHA sets a necessary cookie (_GRECAPTCHA) when executed for the purpose of providing its risk analysis.
cid	1 year	This is an important cookie in making credit card transaction on the website. It allows the online transaction without storing the credit card information.This service is provided by Stripe.com.
connect.sid	1 month	This cookie is used for authentication and for secure log-in. It registers the log-in information.
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
CookieLawInfoConsent	1 year	Records the default button state of the corresponding category & the status of CCPA. It works only in coordination with the primary cookie.
elementor	never	This cookie is used by the website's WordPress theme. It allows the website owner to implement or change the website's content in real-time.
JSESSIONID	session	Used by sites written in JSP. General purpose platform session cookies that are used to maintain users' state across page requests.
PHPSESSID	session	This cookie is native to PHP applications. The cookie is used to store and identify a users' unique session ID for the purpose of managing user session on the website. The cookie is a session cookies and is deleted when all the browser windows are closed.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
__atuvc	1 year 1 month	This cookie is set by Addthis to make sure you see the updated count if you share a page and return to it before our share count cache is updated.
__atuvs	30 minutes	This cookie is set by Addthis to make sure you see the updated count if you share a page and return to it before our share count cache is updated.
__cf_bm	30 minutes	This cookie is set by CloudFlare. The cookie is used to support Cloudflare Bot Management.
__pvi	1 day	This cookie is used for the implementation of the news content from other sites.
bcookie	2 years	This cookie is set by linkedIn. The purpose of the cookie is to enable LinkedIn functionalities on the page.
lidc	1 day	This cookie is set by LinkedIn and used for routing.

Cookie	Duration	Description
__gads	1 year 24 days	This cookie is set by Google and stored under the name dounleclick.com. This cookie is used to track how many times users see a particular advert which helps in measuring the success of the campaign and calculate the revenue generated by the campaign. These cookies can only be read from the domain that it is set on so it will not track any data while browsing through another sites.
_ga	2 years	This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, campaign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assign a randomly generated number to identify unique visitors.
_ga_Y7XD5FHQVG	2 years	This cookie is installed by Google Analytics.
_gat_UA-10686674-1	1 minute	This is a pattern type cookie set by Google Analytics, where the pattern element on the name contains the unique identity number of the account or website it relates to. It appears to be a variation of the _gat cookie which is used to limit the amount of data recorded by Google on high traffic volume websites.
_gid	1 day	This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the website is doing. The data collected including the number visitors, the source where they have come from, and the pages visted in an anonymous form.
ajs_anonymous_id	never	This cookie is set by Segment.io to check the number of ew and returning visitors to the website.
ajs_user_id	never	The cookie is set by Segment.io and is used to analyze how you use the website
ANON_ID	3 months	This cookie is provided by Tribalfusion. The cookie is used to give a unique number to visitors, and collects data on user behaviour like what page have been visited. This cookie also helps to understand which sale has been generated by as a result of the advertisement served by third party.
jam_heavy_ga_session	5 years	This cookie is installed by Google Analytics.
UserID1	3 months	The cookie sets a unique anonymous ID for a website visitor. This ID is used to continue to identify users across different sessions and track their activities on the website. The data collected is used for analysis.
uvc	1 year 1 month	The cookie is set by addthis.com to determine the usage of Addthis.com service.

Cookie	Duration	Description
__tbc	2 years	This cookie is used for measuring the efficiency of advertisement by registering data on visitors from multiple website.
_cc_aud	8 months 26 days	The cookie is set by crwdcntrl.net. The purpose of the cookie is to collect statistical information in an anonymous form about the visitors of the website. The data collected include number of visits, average time spent on the website, and the what pages have been loaded. These data are then used to segment audiences based on the geographical location, demographic, and user interest provide relevant content and for advertisers for targeted advertising.
_cc_cc	session	The cookie is set by crwdcntrl.net. The purpose of the cookie is to collect statistical information in an anonymous form about the visitors of the website. The data collected include number of visits, average time spent on the website, and the what pages have been loaded. These data are then used to segment audiences based on the geographical location, demographic, and user interest provide relevant content and for advertisers for targeted advertising.
_cc_dc	8 months 26 days	The cookie is set by crwdcntrl.net. The purpose of the cookie is to collect statistical information in an anonymous form about the visitors of the website. The data collected include number of visits, average time spent on the website, and the what pages have been loaded. These data are then used to segment audiences based on the geographical location, demographic, and user interest provide relevant content and for advertisers for targeted advertising.
_cc_id	8 months 26 days	The cookie is set by crwdcntrl.net. The purpose of the cookie is to collect statistical information in an anonymous form about the visitors of the website. The data collected include number of visits, average time spent on the website, and the what pages have been loaded. These data are then used to segment audiences based on the geographical location, demographic, and user interest provide relevant content and for advertisers for targeted advertising.
_kuid_	5 months 27 days	The cookie is set by Krux Digital under the domain krxd.net. The cookie stores a unique ID to identify a returning user for the purpose of targeted advertising.
_rxuuid	1 year	The main purpose of this cookie is targeting, advertesing and effective marketing. This cookie is used to set a unique ID to the visitors, which allow third party advertisers to target the visitors with relevant advertisement up to 1 year.
ANON_ID_old	3 months	This cookie helps to categorise the users interest and to create profiles in terms of resales of targeted marketing. This cookie is used to collect user information such as what pages have been viewed on the website for creating profiles.
bscookie	2 years	This cookie is a browser ID cookie set by Linked share Buttons and ad tags.
CMID	1 year	The cookie is set by CasaleMedia. The cookie is used to collect information about the usage behavior for targeted advertising.
CMPRO	3 months	This cookie is set by Casalemedia and is used for targeted advertisement purposes.
CMPS	3 months	This cookie is set by Casalemedia and is used for targeted advertisement purposes.
CMST	1 day	The cookie is set by CasaleMedia. The cookie is used to collect information about the usage behavior for targeted advertising.
DSID	1 hour	This cookie is setup by doubleclick.net. This cookie is used by Google to make advertising more engaging to users and are stored under doubleclick.net. It contains an encrypted unique ID.
google_push	5 minutes	This cookie is set by the Bidswitch. This cookie is used to collect statistical data related to the user website visit such as the number of visits, average time spent on the website and what pages have been loaded. This collected information is used to sort out the users based on demographics and geographical locations inorder to serve them with relevant online advertising.
i	1 year	The purpose of the cookie is not known yet.
id	3 months	The main purpose of this cookie is targeting and advertising. It is used to create a profile of the user's interest and to show relevant ads on their site. This Cookie is set by DoubleClick which is owned by Google.
IDE	1 year 24 days	Used by Google DoubleClick and stores information about how the user uses the website and any other advertisement before visiting the website. This is used to present users with ads that are relevant to them according to the user profile.
IDSYNC	1 year	This cookie is used for advertising purposes.
KADUSERCOOKIE	3 months	The cookie is set by pubmatic.com for identifying the visitors' website or device from which they visit PubMatic's partners' website.
KTPCACOOKIE	1 day	This cookie is set by pubmatic.com for the purpose of checking if third-party cookies are enabled on the user's website.
ljt_reader	1 year	This is a Lijit Advertising Platform cookie. The cookie is used for recognizing the browser or device when users return to their site or one of their partner's site.
loc	1 year 1 month	This cookie is set by Addthis. This is a geolocation cookie to understand where the users sharing the information are located.
mc	1 year 1 month	This cookie is associated with Quantserve to track anonymously how a user interact with the website.
mt_mop	1 month	Stores information about how the user uses the website such as what pages have been loaded and any other advertisement before visiting the website for the purpose of targeted advertisements.
personalization_id	2 years	This cookie is set by twitter.com. It is used integrate the sharing features of this social media. It also stores information about how the user uses the website for tracking and targeting.
suid_legacy	1 year	This cookie is used to collect information on user preference and interactioin with the website campaign content. This cookie is used for promoting events and products by the webiste owners on CRM-campaign-platform.
TDCPM	1 year	The cookie is set by CloudFlare service to store a unique ID to identify a returning users device which then is used for targeted advertising.
TDID	1 year	The cookie is set by CloudFlare service to store a unique ID to identify a returning users device which then is used for targeted advertising.
test_cookie	15 minutes	This cookie is set by doubleclick.net. The purpose of the cookie is to determine if the user's browser supports cookies.
tluid	3 months	This cookie is set by the provider AdRoll.This cookie is used to identify the visitor and to serve them with relevant ads by collecting user behaviour from multiple websites.
tuuid	1 year	This cookie is set by .bidswitch.net. The cookies stores a unique ID for the purpose of the determining what adverts the users have seen if you have visited any of the advertisers website. The information is used for determining when and how often users will see a certain banner.
tuuid_lu	1 year	This cookie is set by .bidswitch.net. The cookies stores a unique ID for the purpose of the determining what adverts the users have seen if you have visited any of the advertisers website. The information is used for determining when and how often users will see a certain banner.
uid	5 months 27 days	This cookie is used to measure the number and behavior of the visitors to the website anonymously. The data includes the number of visits, average duration of the visit on the website, pages visited, etc. for the purpose of better understanding user preferences for targeted advertisments.
uuid	1 year 27 days	To optimize ad relevance by collecting visitor data from multiple websites such as what pages have been loaded.
VISITOR_INFO1_LIVE	5 months 27 days	This cookie is set by Youtube. Used to track the information of the embedded YouTube videos on a website.
wfivefivec	1 year 1 month	The domain of this cookie is owned by Dataxu. The main business activity of this cookie is targeting and advertising. This cookie tracks the advertisement report which helps us to improve the marketing activity.
xbc	2 years	This cookie is used for optmizing the advertisement on the website more relevant by analysing the user behaviour and interaction with the website.
YSC	session	This cookies is set by Youtube and is used to track the views of embedded videos.

Cookie	Duration	Description
__browsiSessionID	30 minutes	No description available.
__browsiUID	1 year	No description available.
__cflb	23 hours	This cookie is used by Cloudflare for load balancing.
__gpi	1 year 24 days	No description
ajs_group_id	never	This cookie is set by Segment.io. The purpose of the cookie is currently not identified.
blkbs	6 days 23 hours	No description
charitable_session	1 day	No description available.
cookietest	session	No description
debug	never	No description available.
gCStest	7 years 1 month 26 days 16 hours	No description
muc_ads	2 years	No description
revengine_browser_id	session	No description
revengine-browser-token	session	RevEngine Data Tool.
rl_user_id	never	No description available.
tf_respondent_cc	6 months	No description
UserMatchHistory	1 month	Linkedin - Used to track visitors on multiple websites, in order to present relevant advertisement based on the visitor's preferences.
vic_loc_error	10 minutes	No description
vicinity_id	1 year 10 months 24 days 11 hours	Vicinity Advertising.

Defend Truth

International Finance

Teen Tesla Hacker Accessed Owners’ Email Addresses to Warn Them

International Finance

Teen Tesla Hacker Accessed Owners’ Email Addresses to Warn Them

The 19-year-old cybersecurity researcher who remotely accessed dozens of Tesla Inc. vehicles through a third-party flaw, has a new trick: hacking the car owners’ email addresses to notify them they’re at risk.

Comments - Please login in order to comment.

Investigations

Investigations

News & Analysis

News & Analysis

Features

Features

Newsletters

Newsletters

Community

Community

DM168

DM168

This article is free to read.

Sign up for free or sign in to continue reading.

South Africa needs good journalism — and we need your help to keep delivering it

We would like our readers to start paying for Daily Maverick...

Defend Truth

International Finance

Teen Tesla Hacker Accessed Owners’ Email Addresses to Warn Them

International Finance

Teen Tesla Hacker Accessed Owners’ Email Addresses to Warn Them

The 19-year-old cybersecurity researcher who remotely accessed dozens of Tesla Inc. vehicles through a third-party flaw, has a new trick: hacking the car owners’ email addresses to notify them they’re at risk.

Comments - Please login in order to comment.

Investigations

Investigations

News & Analysis

News & Analysis

Features

Features

Newsletters

Newsletters

Community

Community

DM168

DM168

Please peer review 3 community comments before your comment can be posted

This article is free to read.

Sign up for free or sign in to continue reading.

South Africa needs good journalism — and we need your help to keep delivering it

We would like our readers to start paying for Daily Maverick...