#1: You don't own the thread. Changed after abundant evidence there is nothing to this unless you share your login information and the original title is still there. Is that factually incorrect?
I started the thread and I am its author. No one else has the right to attempt to change what I wrote to reflect their agenda.
This isn't a flaw "if you give your credentials to third parties". It's a potential vulnerability if you give your credentials to third parties. It's a flaw regardless because a) it can become a vulnerability WHEN people give their credentials to third parties and b) there are reasonable precautions one is expected to take when building a REST API to reduce that likelihood.
#2: You still refuse to clearly state in your article that you have to give out your private login info. Why is that? You hint at it in the second article but don't explicitly say it. You are getting a lot of attention for it so maybe that is your motivation. A well written, non-scary article wouldn't have gotten any outside press or attention.
Actually, I did say it. You just want me to put it in big blinking letters. And you don't agree with my conclusions.
A well written, non-scary article wouldn't have gotten any outside press or attention.
A lot of people think it is a well-written, non-scary, accurate reflection of the situation. There's nothing wrong with the fact that it got outside press and attention.
You just don't like your precious Tesla getting any negative press.
Are you saying username and passwords are not great security? That is hardly news and not Tesla specific.
No, that's not what I am saying.
Handing out your only source of protection from a 'hack' either to your bank account or car to an unknown third party is hardly a 'hack' or major security flaw.
No. The fact that it's the only source of protection is the flaw. Especially since, with respect to APIs, there are much better solutions readily available and commonly implemented. It is only laziness and incompetence that leads someone to build a REST API in 2013 with no such protections.
Thus, it is a flaw.
Should someday something better be in place? Sure but your article made it seem like people would be dialing into your car and maliciously doing things to it. Not the case.
It is possible and I guarantee you that one day it will happen.
- - - Updated - - -
Let me put this in really simple terms:
If you build a non-SOAP web services API, authentication should only ever occur via application-specific credentials that may be revoked on a case-by-case basis.
Anything else is a flaw in your authentication design.
It's that simple.