• Stop being a LURKER - join our dealer community and get involved. Sign up and start a conversation.

VinSolutions Security Issue "what salesmen really have access to"

Apr 27, 2013
1
0
First Name
Justin
I found a ridicules flaw in VIN today after I caught a salesman viewing a lead of other salesmen. I wanted to post this here to find out if this is the same for other dealers.

What’s going on is VIN did not set security on a per page basis what they did was remove links for different levels of access based on your log in. I could be wrong but I am able to (from a salesmen’s log in) go anywhere in the system as long as I know the URL.

We started using VIN’s ILM in 2008 and now are in the process of changing our CRM from Autobase to VIN. I have always been concerned about the security of a hosted CRM and unless I am wrong about this I had every right to be.

I contacted VIN and they started a case, I know how support is and this could take some time

I will post some links and see they work for you. Simply log in as a salesmen and the click one of these links and see if they work. I am not going to list the damage a salesmen could do but anyone who knows this system will understand what could be done. Some of the security works like for entering another salesmen’s customer “access denied” but what you can change and enter is disgusting
Desk log

https://apps.vinmanager.com/CarDash...Log.aspx&rightpaneframe=DealerDashboard1.aspx

Lead Assignment

https://apps.vinmanager.com/CarDash...lerILMAssignmentRule.aspx&rightpaneframe=HIDE

Lead Settings

http://apps.vinmanager.com/CarDashb...nt/DealerSettings.ascx&SelectedTab=t_Settings

Lead Source

http://apps.vinmanager.com/CarDashb...ement/LeadSourceEdit.aspx&rightpaneframe=HIDE


User Settings

http://apps.vinmanager.com/CarDashb...frame=DealerUserList.aspx&rightpaneframe=HIDE

Inventory Settings

http://apps.vinmanager.com/CarDashb...DealerINVSettingEdit.aspx&rightpaneframe=HIDE

Dealer Settings

https://apps.vinmanager.com/CarDash...ealerED.ascx&SelectedTab=t_Settings&RecordID=

You will need to add your dealer code to the end of this one so if your dealer code was 9999 it would look like this

https://apps.vinmanager.com/CarDashboard/ploader.aspx?TargetControl=AdminControls/DealerED.ascx&
SelectedTab=t_Settings&RecordID=9999

Thank God you cannot access another dealer’s page that security is fine you get this ________________________________________


[ApplicationException: Unauthorized access to dealership Example Dealer]
Cars.Objects.BusinessObjects.DealerBO.LoadByRecordID(DataSet ds, String RecordID) +307
Matthew.Web.UI.ControlsBase.EditControlBase.LoadData(DataSet dataSetInUse) +270
Matthew.Web.UI.ControlsBase.EditControlBase.OnLoad(EventArgs e) +61
System.Web.UI.Control.LoadRecursive() +71
System.Web.UI.Control.LoadRecursive() +190
System.Web.UI.Control.LoadRecursive() +190
System.Web.UI.Control.LoadRecursive() +190
System.Web.UI.Control.LoadRecursive() +190
System.Web.UI.Control.LoadRecursive() +190
System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +3064

I would no longer be a client if this was open.

Please let me know if you are having this issue. To me this is an issue, if one of my salesmen could delete everything we have done or just cause massive problems in the system I want no part of this software!
Justin
 
Yes there is a current security issue. Itwill be resolved in tomorrow’s (5/29) release. From time to time in an effort to push out new
features and updates in the past items like this make their way to the system. Overall you will find no other occurrences of this discussed
because we have not had these incidents before.