An email normalization issue allowing for remote control of a vehicle.

Hyundai’s remote control API would use a JWT for authorization, the JWT would contain the user’s email. For the API request to unlock a vehicle, the JWT would be sent in a header, and in the body of the request would take a userName field containing the same email and the vin for the target vehicle.

It would check that the userName (email) matched the email in the JWT and throw and error if not. The vulnerability comes from this comparision, as it would do some normalization, and registration would not require confirming ownership of the email.

So one could register with the email example@gmail.com%0d (a carriage return at the end), but in the body of the request use example@gmail.com. Due to normalization it would go ahead and treat your JWT as valid to the example@gmail.com user name, allowing the attack to control the victims vehicle.