Tuesday, October 15, 2024
HomeCyber Security NewsHonda eCommerce Platform Flaw Exposes Customers' Data

Honda eCommerce Platform Flaw Exposes Customers’ Data

Published on

Malware protection

Eaton Zveare, a security researcher, has released the specifics of major vulnerabilities uncovered in Honda’s e-commerce platform for power equipment, marine, and lawn & garden products.

It allowed anyone to reset their password for any account and was therefore open to unauthorized access.

The researcher found the security flaws and the data leakage early this year, and he informed Honda of his findings in mid-March. 

- Advertisement - SIEM as a Service

The vendor acknowledged the problems right away and congratulated the white hat hacker for his efforts but did not compensate him because it lacked a bug bounty program.

Honda reported that it did not discover any proof of malicious exploitation.

“I compromised Honda’s power equipment/marine/lawn & garden dealer eCommerce platform by exploiting a password reset API that let me easily reset the password of any account,” said the researcher.

“Broken/missing access controls made it possible to access all data on the platform, even when logged in as a test account.”

The platform drives Honda Dealer Sites, a service that allows dealers to build websites to sell Honda goods. Dealers are given all the resources they need to build a website, market it, and manage product orders after they create an account.

A Password Reset API Vulnerability In An Admin Dashboard

The researcher found a password reset API flaw in the admin dashboard that let him change the password for a Honda test account setup. 

Complete administrative access obtained with access to:

  • 21,393 customer orders across all dealers from August 2016 to March 2023, including customer name, address, phone number, and ordered items.
  • 1,570 dealer websites (1,091 of those are active). It was possible to modify any of these sites.
  • 3,588 dealer users/accounts (includes first & last name, email address). It was possible to change the password of any of these users.
  • 1,090 dealer emails (includes first & last name).
  • 11,034 customer emails (includes first & last name).
  • Potentially: Stripe, PayPal, and Authorize.net private keys for dealers who provided them.
  • Internal financial reports.
Exposed customer emails

The researcher mentioned that the “powerdealer[.]honda.com” subdomains are given to authorized resellers and dealers by Honda’s e-commerce platform, which contains the API issue.

He discovered that the Power Equipment Tech Express (PETE) password reset API on one of Honda’s websites performed reset requests without a token or the prior password and only required a valid email.

Despite the absence of this vulnerability on the e-commerce subdomains login portal, anyone can access internal dealership data using this straightforward attack because the credentials changed on the PETE site would still work there.

Password reset API request sent to PETE
Password reset API request sent to PETE

The researcher obtained a legitimate dealer email address from a YouTube video that showed how to use a test account to access the dealer dashboard.

Test account email exposed on YouTube video

YouTube video exposes test account email

“This platform assigns numeric IDs to everything from orders to sites. The IDs were sequential so just adding +1 to the current ID would bring you to the next record”, the researcher explained.

The browser address bar displayed the ID that was given to each dealer site. He discovered that he could access the dashboard of a different dealer by altering that ID.

Adding +1 to the current ID would bring you to the next record

The last stage of the operation was to get access to Honda’s admin panel, which serves as the main management interface for the company’s e-commerce platform.

By altering an HTTP response to make it appear as though he was an admin, the researcher gained unrestricted access to the Honda Dealer Sites platform.

The Honda Dealer Sites admin panel
The Honda Dealer Sites admin panel

The Researcher said that highly targeted phishing campaigns might be developed with access to more than 21,000 client orders to deceive customers into submitting even more sensitive data or to try and install malware on their devices.

Also, more than 1000 active websites could have been secretly changed to include dangerous malware like credit card skimmers and crypto miners.

Stop Advanced Email Threats That Target Your Business Email – Try AI-Powered Email Security

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

OilRig Hackers Exploiting Microsoft Exchange Server To Steal Login Details

Earth Simnavaz, an Iranian state-sponsored cyber espionage group, has recently intensified its attacks on...

CoreWarrior Malware Attacking Windows Machines From Dozens Of IP Address

Researchers recently analyzed a CoreWarrior malware sample, which spreads aggressively by creating numerous copies...

TrickMo Malware Targets Android Devices to Steal Unlock Patterns and PINs

The recent discovery of the TrickMo Banking Trojan variant by Cleafy has prompted further...

pac4j Java Framework Vulnerable to RCE Attacks

A critical security vulnerability has been discovered in the popular Java framework pac4j. The...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

OilRig Hackers Exploiting Microsoft Exchange Server To Steal Login Details

Earth Simnavaz, an Iranian state-sponsored cyber espionage group, has recently intensified its attacks on...

CoreWarrior Malware Attacking Windows Machines From Dozens Of IP Address

Researchers recently analyzed a CoreWarrior malware sample, which spreads aggressively by creating numerous copies...

TrickMo Malware Targets Android Devices to Steal Unlock Patterns and PINs

The recent discovery of the TrickMo Banking Trojan variant by Cleafy has prompted further...