Eaton Zveare, a security researcher, has released the specifics of major vulnerabilities uncovered in Honda’s e-commerce platform for power equipment, marine, and lawn & garden products.
It allowed anyone to reset their password for any account and was therefore open to unauthorized access.
The researcher found the security flaws and the data leakage early this year, and he informed Honda of his findings in mid-March.
The vendor acknowledged the problems right away and congratulated the white hat hacker for his efforts but did not compensate him because it lacked a bug bounty program.
Honda reported that it did not discover any proof of malicious exploitation.
“I compromised Honda’s power equipment/marine/lawn & garden dealer eCommerce platform by exploiting a password reset API that let me easily reset the password of any account,” said the researcher.
“Broken/missing access controls made it possible to access all data on the platform, even when logged in as a test account.”
The platform drives Honda Dealer Sites, a service that allows dealers to build websites to sell Honda goods. Dealers are given all the resources they need to build a website, market it, and manage product orders after they create an account.
A Password Reset API Vulnerability In An Admin Dashboard
The researcher found a password reset API flaw in the admin dashboard that let him change the password for a Honda test account setup.
Complete administrative access obtained with access to:
- 21,393 customer orders across all dealers from August 2016 to March 2023, including customer name, address, phone number, and ordered items.
- 1,570 dealer websites (1,091 of those are active). It was possible to modify any of these sites.
- 3,588 dealer users/accounts (includes first & last name, email address). It was possible to change the password of any of these users.
- 1,090 dealer emails (includes first & last name).
- 11,034 customer emails (includes first & last name).
- Potentially: Stripe, PayPal, and Authorize.net private keys for dealers who provided them.
- Internal financial reports.
The researcher mentioned that the “powerdealer[.]honda.com” subdomains are given to authorized resellers and dealers by Honda’s e-commerce platform, which contains the API issue.
He discovered that the Power Equipment Tech Express (PETE) password reset API on one of Honda’s websites performed reset requests without a token or the prior password and only required a valid email.
Despite the absence of this vulnerability on the e-commerce subdomains login portal, anyone can access internal dealership data using this straightforward attack because the credentials changed on the PETE site would still work there.
The researcher obtained a legitimate dealer email address from a YouTube video that showed how to use a test account to access the dealer dashboard.
YouTube video exposes test account email
“This platform assigns numeric IDs to everything from orders to sites. The IDs were sequential so just adding +1 to the current ID would bring you to the next record”, the researcher explained.
The browser address bar displayed the ID that was given to each dealer site. He discovered that he could access the dashboard of a different dealer by altering that ID.
The last stage of the operation was to get access to Honda’s admin panel, which serves as the main management interface for the company’s e-commerce platform.
By altering an HTTP response to make it appear as though he was an admin, the researcher gained unrestricted access to the Honda Dealer Sites platform.
The Researcher said that highly targeted phishing campaigns might be developed with access to more than 21,000 client orders to deceive customers into submitting even more sensitive data or to try and install malware on their devices.
Also, more than 1000 active websites could have been secretly changed to include dangerous malware like credit card skimmers and crypto miners.
Stop Advanced Email Threats That Target Your Business Email – Try AI-Powered Email Security