A flaw related to a companion app means Nissan Leaf electric cars' heating and air-conditioning systems can be hijacked, a "prominent" security researcher has discovered.