Curry and Shah reported their findings to Subaru in late November, and Subaru quickly fixed its Starlink security flaws. But the researchers caution that the Subaru web vulnerabilities are just the latest in a long line of similar web-based flaws they and other security researchers working with them have found affecting more than a dozen automakers, including Acura, Genesis, Honda, Hyundai, Infiniti, Kia, Toyota, and many others. There’s little doubt, they say, that similarly serious hackable flaws exist in other car companies’ yet-to-be-discovered web tools.

In Subaru’s case in particular, they also point out that their discovery shows how pervasively those with access to Subaru’s portal can track its customers’ movements, a privacy issue that will outlast the web vulnerabilities it exposed. “The thing is, even if it’s fixed, this functionality will still exist for Subaru employees,” Curry says. “It’s just normal functionality that an employee can pick up a year’s worth of your location history.”

When WIRED reached out to Subaru for comment on Curry and Shah’s findings, a spokesperson responded in a statement that “after independent security researchers were notified, [Subaru] discovered a vulnerability in its Starlink service that could potentially allow a third party to access Starlink accounts. The vulnerability was closed immediately and no customer information was ever obtained without authorization.”

The Subaru spokesperson also confirmed to WIRED that “there are employees at Subaru of America, based on their job relevance, who can access location data.” The company offered as an example that employees have that access to share a vehicle’s location with first responders in the event a crash is detected “All of these individuals receive proper training and are required to comply with appropriate privacy, security and NDA signing agreements as necessary,” Subaru’s statement added monitoring solutions in place that are constantly evolving to meet modern cyber threats.”

Responding to Subaru’s example of notifying first responders of a crash, Curry notes that it would hardly require a year of location history. The company did not respond to WIRED’s request for how far back it keeps customers’ location history and makes it available to employees.

Shah and Curry’s research that led them to the discovery of Subaru’s vulnerabilities began when they found Curry’s mother’s Starlink application linked to the domain SubaruCS.com, which they realized was an administrative domain for employees is. Probing the site for security flaws, they found they could reset employee passwords simply by guessing their email address, giving them the ability to take over any employee’s account whose email address they could find. The password reset feature did ask for answers to two security questions, but they found that those answers were checked with code running locally in a user’s browser, not on Subaru’s server, allowing the protection to be easily bypassed. “There were really multiple systemic failures that led to this,” says Shah.

The two researchers say they found the email address for a Subaru Starlink developer on LinkedIn, took over the employee’s account and immediately found they could use that staff member’s access to look up any Subaru owner by last name, zip code, email address, telephone. number, or number plate to access their Starlink configurations. In seconds, they could then reassign control over the Starlink features of that user’s vehicle, including the ability to remotely unlock the car, honk its horn, start its ignition or track it, as shown in the video below .