A hacker would also be able to track a car's location at all times, and even change its destination if the vehicle was driving itself.
Colombo said the fault was not to do with Tesla's software itself, but was "the owners' fault", without giving more details. Tesla's security team was investigating the matter, he added.
"I think it's pretty dangerous, if someone is able to remotely blast music on full volume or open the windows/doors while you are on the highway," Colombo tweeted. "Even flashing the lights non-stop can potentially have some [dangerous] impact on other drivers."
Tesla allows third-party apps to access data about their cars, which experts suggested may be the source of the vulnerability. Tesla reset several thousand "tokens", which match an app user to a car, on Tuesday, according to one app.
Tyler Corsair, the founder of Teslascope, an app that gives owners analytics about their cars, said the bug was likely to be related to a small number of people operating their own version of a separate analytics program called Teslamate.
Colombo said he had alerted Tesla to the problem and was trying to locate the individual owners affected.
Although the bug affected just a small number of users, security concerns have previously been raised about Tesla and other vehicles allowing more access to a car's features using touchscreens and smartphone apps.
Chinese hackers in 2014 said they were able to activate the horn, headlights and door locks of a Tesla Model S.
Elon Musk, the company's founder and chief executive, has said that a hack of the company's systems was one of his biggest concerns.
"In principle, if someone was able to say hack all the autonomous Teslas, they could say – I mean just as a prank – they could say 'send them all to Rhode Island' – across the United States … and that would be the end of Tesla," he said in 2017.
The company, whose Model 3 was the UK's second most popular new car last year, has also been under increasing pressure over its driver assistance software Autopilot, which is facing investigations from US regulators.
Tesla has been contacted for comment.