Tesla is known for quickly resolving a wide range of customer complaints, with many of the responses and fixes coming directly from its CEO, Elon Musk. But this isn't a story about its good customer service. Rather, it's a story of a chaotic communication process that a customer says led to the uncovering of an online security breach for Tesla.
Dan, who only uses his first name on the forums and the website he runs, recently picked up his much anticipated Model 3 after two previous false starts, and before he even got a chance to sit in it, the chaos began, according to a blog post he wrote.
Delivery logistics hell is just the beginning
Dan writes that his sales agent assured him that he could upgrade to Enhanced Autopilot at any time, but the delivery agent handing him his keys said that could only be added prior to delivery. After he got the car home, he noticed a flaw in the lamination on the all-glass roof. After reporting the damage, customer service granted Enhanced Autopilot at a pre-delivery order price of $3,000, but the representative had no idea how to do it without charging the post-delivery upgrade price of $5,000. And after waiting several weeks to get an appointment to fix the roof, they damaged the paint during the replacement and needed to keep the car longer for auto body repair.
During this time he detailed his experience on Tesla's official forum (not to be confused with Tesla Motor Club forum), adding to the hundreds of other threads complaining about poor delivery service. However, after he tried to update his lengthy post, the Cleveland-based user found that it had mysteriously disappeared, and he was unable to repost it because his account was limited to only one post per day.
His request to have that restriction lifted was reportedly passed along from Tesla's customer service to the IT department, and shortly after the call, Dan found he was able to do much more than post multiple threads per day—he had full admin rights to the entire forum.
What Tesla forum admins can do
Being an admin for Tesla's forum means that he could edit and delete any post on the site. He also could add new forum topics, create new vehicle models (at least on the forum), and even create new vehicle reservations and upcoming Supercharger locations. But the biggest security breach is that it gave him permission to view the profile details of the more than 1.5 million accounts, including Musk's.
And since Dan could see that the last time Musk logged in was more than three years ago, we can probably put an end to the rumor that he has been fact-checking the forum.
The newbie Tesla owner wasn't the only one with full admin rights to the site. Several other customer accounts had these permissions, as did former employees. How much of a security breach this represents isn't clear. The forum isn't connected to other databases the company maintains. In fact, you can't even access the forum directly from the Tesla Web site.
On November 8, he also reached out to Tesla on Twitter to alert the company of its security flaw with no immediate response:
Rather than mess around with everyone's data, all Dan did with his superuser access is resurrect his original post. But it wasn't exactly the same.
Ooops
Eagle-eyed forum members noticed that his user profile had changed to employee status with a red Tesla badge next to his name, so he quickly unpublished the post. But a bug of some sort in the Drupal software running the forum took down every post published prior to his with it.
If you want to get Tesla's attention and Twitter isn't working, deleting years and years of posts from its forum is one way to do it. Shortly thereafter, everything got restored and Dan lost his admin privileges.
Tesla responds
Tesla's customer service team also responded by email to his reported concerns about the forum's security, assuring him that no official customer data was shared due to this mistake and that it was unlikely that former employees that retained their admin status had abused the site. You can read their full response with screenshots here. He was asked to submit the bug to the official Bug Crowd site, which is also responsible for determining the bounty for finding it.
In the meantime, he was able to speak with his local branch manager and received the Enhanced Autopilot option for $3,000, free lifetime LTE data, two free vehicle servicings, and a Tesla home charging wall connector as compensation for his vehicle issues.
Although Tesla eventually made good on a poor customer experience, it would be better if it never happened in the first place—especially for the other 1.5 million forum users.
Updated: Tesla responded to the story with the following:
Our bug bounty program is set up specifically to encourage this type of reporting, as well as more in-depth research from the security community. In this case, the customer was inadvertently granted a higher level of permissions than he should have had to the Tesla forum, which is not connected to our vehicles, main website, or other digital channels. We revoked the access as soon as it was reported, and made other changes to adjust privileges accordingly following a full audit. We have no reason to believe that there was any abuse of accounts or content on our forums, and we have taken steps to ensure this does not happen again. Any customer reporting a potential security vulnerability is encouraged to apply for an award through our bug bounty program.
Source: Dansdeals.com
