Troy Hunt reported the flaw after reporting it to Nissan, giving the company a month to fix the issue before making the flaw public. Nissan said it could not yet comment.
Although the problem is not life-threatening, Hunt told BBC News, hackers can still take advantage of the NissanConnect apps vulnerability to cause mischief by running down peoples batteries, the report said.
"The right thing to do at the moment would be for Nissan to turn it off altogether," Hunt told the BBC. They are going to have to let customers know. And to be honest, a fix would not be hard to do. It's not that they have done authorization [on the app] badly, they just haven't done it at all, which is bizarre."
To confirm the problem existed, Hunt used the VIN number of a Nissan Leaf-owning acquaintance based in the UK, the report said.
"I was sat in the vehicle with everything powered off and didn't have my key on me," recalled Scott Helme, who is also a cybersecurity adviser.
"So, the vehicle was as it would be if it was completely unattended.
"As I was talking to Troy on Skype, he pasted the web address into his browser and then maybe 10 seconds later I heard an internal beep in the car.