I'm a white hat and I want to report a security issue to Koenigsegg Automotive AB. I've been trying to contact them for a month. I sent messages to the email addresses listed on the official website, as well as to the email addresses from the database that I accessed. I also tried to contact the employees via LinkedIn. The last remaining method is to contact them via the community. If in this way they are trying to avoid paying the bounty, then I think the white hat community should pay attention to this company.
I downloaded all versions of the Koenigsegg Gemera configurator from 0.0.1 (Gemera_Studio) to 3.0.0. I also downloaded the latest versions of all the other configurators hosted on the GorillaStreaming (MonkeyWay) service: Aston Martin, Lamborghini, Porsche and KTM. I have access to it for at least three months since January 19, 2024 and it still hasn't been fixed. Currently anyone with specific computer science knowledge can access it.
I'm publishing the latest version (build dated 2024-04-25 09:26:53) of the Koenigsegg Gemera configurator as proof. If any of the companies mentioned contact me at
[email protected], I can send a detailed bug report. As a bounty I would like to receive FrontiArt 1:8 full open Koenigsegg One:1 in Apple Silver color (FA010-01).
List of CAD models I downloaded using Koenigsegg network exploit:
Aston Martin
- DBS Evo Coupe (AM370)
- Vantage (AM606, AM636, AM688, AM668, AM606F, AM636F, AM614, AM644, ...)
- Valour (AM690)
- DBX (AM805, AM865, AM888, ...)
- DB11 (AM569, AM539, AM509, AM570, AM540, AM510)
- DB12 (AM572, AM574, AM575, AM542, AM544, AM545)
- DBS (AM705, AM735, AM706, AM736)
- DBS110 (AM709, AM739)
- Valhalla (AMR003)
- Formula 1 Season 2023 (AMR23)
- Formula 1 Season 2024 (AMR24)
- Valkyrie (AMRB001)
- DB5 (DB5)
- Leverack Bike (LVR)
Lamborghini
- Huracan 2021-2023 (LB62x)
- Sterrato 2023 (LB62x)
- Urus 2020-2023 (LB63x)
Porsche Taycan (Y1AAA1, Y1ADB1, ...)
Koenigsegg Gemera
KTM, Husqvarna, GASGAS bikes and X-Bow GT-XR
