Mercedes-Benz app glitch exposed car owners’ information to other users
Mercedes-Benz car owners have said that the app they used to remotely locate, unlock and start their cars was displaying other people’s account and vehicle information.
TechCrunch spoke to two customers who said the Mercedes-Benz’ connected car app was pulling in information from other accounts and not their own, allowing them to see other car owners’ names, recent activity, phone numbers, and more.
The apparent security lapse happened late-Friday before the app went offline “due to site maintenance” a few hours later.
It’s not uncommon for modern vehicles these days to come with an accompanying phone app. These apps connect to your car and let you remotely locate them, lock or unlock them, and start or stop the engine. But as cars become internet-connected and hooked up to apps, security flaws have allowed researchers to remotely hijack or track vehicles.
One Seattle-based car owner told TechCrunch that their app pulled in information from several other accounts. He said that both he and a friend, who are both Mercedes owners, had the same car belonging to another customer, in their respective apps but every other account detail was different.
The car owners we spoke to said they were able to see the car’s recent activity, including the locations of where it had recently been, but they were unable to track the real-time location using the app’s feature.
When he contacted Mercedes-Benz, a customer service representative told him to “delete the app” until it was fixed, he said.
The other car owner we spoke to said he opened the app and found it also pulled in someone else’s profile.
“I got in contact with the person who owns the car that was showing up,” he told TechCrunch. “I could see the car was in Los Angeles, where he had been, and he was in fact there,” he added.
He said that he wasn’t sure if the app has exposed his private information to another customer.
“Pretty bad fuck up in my opinion,” he said.
The first customer reported that the “lock and unlock” and the engine “start and stop” features did not work on his app, somewhat limiting the impact of the security lapse. The other customer said they did not attempt to test either feature.
It’s not clear how the security lapse happened or how widespread the problem was.
“There was a short interval [Friday[ during which incorrect customer data was displayed on our MercedesMe app,” said Donna Boland, a spokesperson for Daimler, the parent company of Mercedes-Benz.
“The information displayed was cached information — not real-time access to the account, no financial info was viewable nor was it possible to interact with, or determine live location of, the vehicle associated with the account,” the spokesperson said. “When we became aware of the issue, we took the system down, identified the issue and resolved it,” she added.
According to Google Play’s rankings, more than 100,000 customers have installed the app.
A similar security lapse hit Credit Karma’s mobile app in August. The credit monitoring company admitted that users were inadvertently shown other users’ account information, including details about credit card accounts and balances. But despite disclosing other people’s information, the company denied a data breach.
Updated with comment from Mercedes-Benz parent Daimler.