A network engineer has discovered that Nissan's latest high-tech car, dubbed the LEAF, exposes user information about the vehicle's speed, position and destination via an inbuilt RSS feed.
The exposure sits in the LEAF's CARWINGS feature that offers telemetry functionality via GSM and provides reports on distance travelled and fuel consumption.
But an inbuilt RSS feed included in CARWINGS was found to also scrape information about the location and speed of a vehicle, information that can be disseminated via RSS.
“All of these lovely values are being provided to any third party RSS provider you configure: CNN, Fox News, Weather Channel, it doesn’t matter!” Casey Halverson, a network engineer at US-based Infospace said in a blog.
“There is no way to prevent this data from being sent, nor does Nissan or CARWINGS warn you that all of your location data can be flung off to random third parties.
“Simply put in any RSS URL, and CARWINGS will add a question mark with all of the location data.”
Nissan was contacted for comment, however Halverson said details of the privacy leak were referenced in a Nissan information document (Japanese translation).
He admitted the flaw was likely inadvertent but noted the data may still reside in logs “waiting to be parsed out or perhaps supported in the future”.
Halverson said data is only captured the moment RSS feed sources are added, so it cannot be used as a persistent vehicle tracker.
He created a proof of concept RSS feed to demonstrate the flaw.
The Nissan Leaf is due to hit Australian shores mid next year and is already available in the US and Europe.