A research discovered two zero-day vulnerabilities residing in the official BMW web domain and ConnectedDrive portal that allow remote hack. The vulnerabilities are still unpatched exposing them to cyber attacks. The VIN (Vehicle Identification Number) session vulnerability resides in the session management of VIN usage and hackers could exploit it to bypass the secure validation procedures of the VIN remotely using a live session. The second vulnerability is a client-side cross-site scripting vulnerability. The vulnerability is located in the.t` value (token) of the `passwordResetOk` web-application file.”]
Source: http://securityaffairs.co/wordpress/49149/hacking/bmw-connecteddrive-hacking.html