Monday, December 30, 2024
HomeCyber Security NewsHonda eCommerce Platform Flaw Exposes Customers' Data

Honda eCommerce Platform Flaw Exposes Customers’ Data

Published on

SIEM as a Service

Eaton Zveare, a security researcher, has released the specifics of major vulnerabilities uncovered in Honda’s e-commerce platform for power equipment, marine, and lawn & garden products.

It allowed anyone to reset their password for any account and was therefore open to unauthorized access.

The researcher found the security flaws and the data leakage early this year, and he informed Honda of his findings in mid-March. 

- Advertisement - SIEM as a Service

The vendor acknowledged the problems right away and congratulated the white hat hacker for his efforts but did not compensate him because it lacked a bug bounty program.

Honda reported that it did not discover any proof of malicious exploitation.

“I compromised Honda’s power equipment/marine/lawn & garden dealer eCommerce platform by exploiting a password reset API that let me easily reset the password of any account,” said the researcher.

“Broken/missing access controls made it possible to access all data on the platform, even when logged in as a test account.”

The platform drives Honda Dealer Sites, a service that allows dealers to build websites to sell Honda goods. Dealers are given all the resources they need to build a website, market it, and manage product orders after they create an account.

A Password Reset API Vulnerability In An Admin Dashboard

The researcher found a password reset API flaw in the admin dashboard that let him change the password for a Honda test account setup. 

Complete administrative access obtained with access to:

  • 21,393 customer orders across all dealers from August 2016 to March 2023, including customer name, address, phone number, and ordered items.
  • 1,570 dealer websites (1,091 of those are active). It was possible to modify any of these sites.
  • 3,588 dealer users/accounts (includes first & last name, email address). It was possible to change the password of any of these users.
  • 1,090 dealer emails (includes first & last name).
  • 11,034 customer emails (includes first & last name).
  • Potentially: Stripe, PayPal, and Authorize.net private keys for dealers who provided them.
  • Internal financial reports.
Exposed customer emails

The researcher mentioned that the “powerdealer[.]honda.com” subdomains are given to authorized resellers and dealers by Honda’s e-commerce platform, which contains the API issue.

He discovered that the Power Equipment Tech Express (PETE) password reset API on one of Honda’s websites performed reset requests without a token or the prior password and only required a valid email.

Despite the absence of this vulnerability on the e-commerce subdomains login portal, anyone can access internal dealership data using this straightforward attack because the credentials changed on the PETE site would still work there.

Password reset API request sent to PETE
Password reset API request sent to PETE

The researcher obtained a legitimate dealer email address from a YouTube video that showed how to use a test account to access the dealer dashboard.

Test account email exposed on YouTube video

YouTube video exposes test account email

“This platform assigns numeric IDs to everything from orders to sites. The IDs were sequential so just adding +1 to the current ID would bring you to the next record”, the researcher explained.

The browser address bar displayed the ID that was given to each dealer site. He discovered that he could access the dashboard of a different dealer by altering that ID.

Adding +1 to the current ID would bring you to the next record

The last stage of the operation was to get access to Honda’s admin panel, which serves as the main management interface for the company’s e-commerce platform.

By altering an HTTP response to make it appear as though he was an admin, the researcher gained unrestricted access to the Honda Dealer Sites platform.

The Honda Dealer Sites admin panel
The Honda Dealer Sites admin panel

The Researcher said that highly targeted phishing campaigns might be developed with access to more than 21,000 client orders to deceive customers into submitting even more sensitive data or to try and install malware on their devices.

Also, more than 1000 active websites could have been secretly changed to include dangerous malware like credit card skimmers and crypto miners.

Stop Advanced Email Threats That Target Your Business Email – Try AI-Powered Email Security

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

PoC Exploited Released for Oracle Weblogic Server Vulnerability

Security researchers have warned that a Proof-of-Concept (PoC) exploit has been publicly released for...

Microsoft Warns of Windows 11 24H2 Issue that Blocks Windows Security Updates

Microsoft has issued a warning about a significant issue impacting devices running Windows 11,...

Four-Faith Industrial Routers Vulnerability Exploited in the Wild to Gain Remote Access

A significant post-authentication vulnerability affecting Four-Faith industrial routers has been actively exploited in the...

Cyberhaven Hacked – Chrome Extension With 400,000 users Compromised

Cyberhaven, a prominent cybersecurity company, disclosed that its Chrome extension With 400,000+ users was...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

PoC Exploited Released for Oracle Weblogic Server Vulnerability

Security researchers have warned that a Proof-of-Concept (PoC) exploit has been publicly released for...

Microsoft Warns of Windows 11 24H2 Issue that Blocks Windows Security Updates

Microsoft has issued a warning about a significant issue impacting devices running Windows 11,...

Four-Faith Industrial Routers Vulnerability Exploited in the Wild to Gain Remote Access

A significant post-authentication vulnerability affecting Four-Faith industrial routers has been actively exploited in the...