Oh MyAudi!
The post analyzes Audi’s myAudi connected-car platform by reversing the web and Android app flows, bypassing certificate pinning with Frida/Objection, and tracing the authentication chain across identity.vwgroup.io, cariad.digital, and legacy vwg-connect.com services. The author found that a user who can associate a vehicle as a low-privilege GUEST_USER using only a VIN can still access sensitive backend data, including embedded-SIM identifiers such as IMEI and ICCID from msg.audi.de. More seriously, guest users could query pending command requests for a VIN and observe actions initiated by the primary user; for features like “honk & flash,” the response exposed the GPS location tied to the request, and other responses revealed operational state such as whether the vehicle had been unlocked. The write-up also notes production GraphQL introspection exposure, which leaks the full schema and internal object model, making the attack surface easier to map even where privileged mutations were not immediately found.