Welcome to Tesla Motors Club
Discuss Tesla's Model S, Model 3, Model X, Model Y, Cybertruck, Roadster and More.
Register

Start Button on App

This site may earn commission on affiliate links.
#21
camalaio said:
The app already communicates with a "website" (public web API). Keep your password safe and secure.
Click to expand...

Wow....

Amazing....

Public web API isn't a website.

Lets not get into that. I hacked all over a 3rd parties Tesla access app and could control my car in 15 min. Of course I canceled app and removed all traces.

Lets not get into the world of hacking. Sorry I brought it up.
 
#22
A public web API is literally a web site. It is a site which you access via HTTP(s), the protocol for interacting with web sites.

Also, relevant:

password_strength.png
 
  • Funny
  • Like
Reactions: KenC, camalaio, Tony_YYZ and 1 other person
#23
DopeGhoti said:
A public web API is literally a web site. It is a site which you access via HTTP(s), the protocol for interacting with web sites.

Also, relevant:

password_strength.png
Click to expand...


Come on.

API's are in now way at all a website.....otherwise people will just use websites instead of API's.

API's are designed to share data through the web - publicly or privately. Webites exist to provide something visible to the user. API's are not designed to be visible...therefore they are not.

API's can ( most do ) have authentication protocol built in that does not require a login and password.

I build and hack these things - just because. I used to use API's as a back door to website data that restricts me via a login and/or password.
I look at an API as a programmers entry into a authenticated websites database.
 
#24
Hello. My name is camalaio and I'm a software developer with experience in public and private web services including networking-oriented services.

If you are not someone familiar with the industry, please heed my warning: keep your password safe. Anyone can use it with Tesla's public API to control your car and your garage door (if homelink is setup). A Tesla-run website is not necessary to control your vehicle.

Garlan Garner said:
Wow....

Amazing....

Public web API isn't a website.

Lets not get into that. I hacked all over a 3rd parties Tesla access app and could control my car in 15 min. Of course I canceled app and removed all traces.

Lets not get into the world of hacking. Sorry I brought it up.
Click to expand...

Hang on guys, we've got a badass hacker over here...

You don't need to "hack" an app for Tesla cars, especially for controlling your own car. For one, it exposed the functionality already. Two, it used your account authentication (which you freely exposed to a third party). Three, it's just using the public Tesla API and presenting a UI to use it. If you actually found an issue with the API, Tesla would pay you big bucks for a bug bounty. Try taking them up on it.

Garlan Garner said:
Come on.

API's are in now way at all a website.....otherwise people will just use websites instead of API's.

API's are designed to share data through the web - publicly or privately. Webites exist to provide something visible to the user. API's are not designed to be visible...therefore they are not.

API's can ( most do ) have authentication protocol built in that does not require a login and password.

I build and hack these things - just because. I used to use API's as a back door to website data that restricts me via a login and/or password.
I look at an API as a programmers entry into a authenticated websites database.
Click to expand...

A website's UI includes rendering of data from the API. Like you said, it can be a shortcut. All the sensitive things the Tesla website/app can do are just visual abstractions of using that public API.

Many APIs are designed to be publicly accessible, as they often need to be in order to provide a service. If they are public and serve sensitive or personal information, they require authentication (e.g. username and password). This authentication is your only barrier to entry in a well designed system, and no web browser is necessarily required.

Keep your password safe folks.
 
  • Love
  • Like
Reactions: justsomeguy, DopeGhoti and Garlan Garner
#25
camalaio said:
Hello. My name is camalaio and I'm a software developer with experience in public and private web services including networking-oriented services.

If you are not someone familiar with the industry, please heed my warning: keep your password safe. Anyone can use it with Tesla's public API to control your car and your garage door (if homelink is setup). A Tesla-run website is not necessary to control your vehicle.



Hang on guys, we've got a badass hacker over here...

You don't need to "hack" an app for Tesla cars, especially for controlling your own car. For one, it exposed the functionality already. Two, it used your account authentication (which you freely exposed to a third party). Three, it's just using the public Tesla API and presenting a UI to use it. If you actually found an issue with the API, Tesla would pay you big bucks for a bug bounty. Try taking them up on it.



A website's UI includes rendering of data from the API. Like you said, it can be a shortcut. All the sensitive things the Tesla website/app can do are just visual abstractions of using that public API.

Many APIs are designed to be publicly accessible, as they often need to be in order to provide a service. If they are public and serve sensitive or personal information, they require authentication (e.g. username and password). This authentication is your only barrier to entry in a well designed system, and no web browser is necessarily required.

Keep your password safe folks.
Click to expand...


Indeed Everyone.....keep your password safe.

Don't share your Tesla password with ANY 3rd party app.....NO MATTER WHAT it offers.
 
#29
WilliamG said:
Ever shop at Target, have a Wells Fargo account, or stay at the Marriott - to name a few? I trust Stats keeping my data secure far more than any big company.
Click to expand...

Seriously?

You trust the security of a company called MaaDoTaa over Wells Fargo?

Below is from MaaDoTaa's privacy policy which proves that all I need to do to get my Teslas data is to get it from them. ( I assure you MaaDoTaa is much easier get data from than Tesla )

MaaDoTaa discloses information related to your car only to those of its employees in order to process it and on the Stats app. Our employees are located in the U.S.A.. By using Stats app, you consent to the transfer of such information to us.



Below is the language in THEIR OWN privacy document that basically says that if your data is nefariously acquired then they are not liable. ( Wells Fargo would go out of business with this kind of security statement )

MaaDoTaa takes all measures reasonably necessary to protect against the unauthorized access, use, alteration or destruction of potentially personally-identifying and personally-identifying information.

In no event shall Stats app be liable for any damages (including, without limitation, damages for loss of data or profit, or due to business interruption) arising out of the use or inability to use the materials is Stats app, even if Stats app developer has been notified orally or in writing of the possibility of such damage.

The materials appearing on Stats app could include technical, typographical, or photographic errors. Stats app does not warrant that any of the materials on its app are accurate, complete or current.



Well....at least they covered themselves.

Good luck.
 
Last edited:
#31
Garlan Garner said:
Seriously?

You trust the security of a company called MaaDoTaa over Wells Fargo?
Click to expand...

Given Wells Fargo repeatedly, intentionally, opened fraudulent credit cards and bank accounts using their own customers private data without their knowledge or consent?

You should too.

MaaDoTaa at least hasn't been proven to intentionally and repeatedly abuse its access to customer data. WF has. For years. To the tune of billions in fines and lawsuits just so far.
 
  • Like
  • Love
Reactions: Tony_YYZ and DopeGhoti
You must log in or register to reply here.

Similar threads

Q
Turning signal button "stuck"
Replies
6
Views
629
Model 3
Adam3
Adam3
C
  • Question
S3XY button install on 2018 Model 3?
Replies
12
Views
2K
Model 3
CoolBuddy
C
S
  • Question
Windshield wiper fluid spray button WAY too sensitive
Replies
16
Views
695
Model 3
E90alex
E90alex
T
Octopus "Failed To Trigger Bump Charge".
Replies
13
Views
739
The UK and Ireland
yessuz
yessuz
6
Are there any Android apps or 3rd party devices that can control the scroll wheels?
Replies
0
Views
272
Software: Firmware Updates, Features, Tesla App
69KWH
6
Top
Back
Blog
New
Forum list
Marketplace
Menu