Friday, December 1, 2023

Honda eCommerce Platform Flaw Exposes Customers’ Data

Eaton Zveare, a security researcher, has released the specifics of major vulnerabilities uncovered in Honda’s e-commerce platform for power equipment, marine, and lawn & garden products.

It allowed anyone to reset their password for any account and was therefore open to unauthorized access.

The researcher found the security flaws and the data leakage early this year, and he informed Honda of his findings in mid-March. 

The vendor acknowledged the problems right away and congratulated the white hat hacker for his efforts but did not compensate him because it lacked a bug bounty program.

Honda reported that it did not discover any proof of malicious exploitation.

“I compromised Honda’s power equipment/marine/lawn & garden dealer eCommerce platform by exploiting a password reset API that let me easily reset the password of any account,” said the researcher.

“Broken/missing access controls made it possible to access all data on the platform, even when logged in as a test account.”

The platform drives Honda Dealer Sites, a service that allows dealers to build websites to sell Honda goods. Dealers are given all the resources they need to build a website, market it, and manage product orders after they create an account.

A Password Reset API Vulnerability In An Admin Dashboard

The researcher found a password reset API flaw in the admin dashboard that let him change the password for a Honda test account setup. 

Complete administrative access obtained with access to:

  • 21,393 customer orders across all dealers from August 2016 to March 2023, including customer name, address, phone number, and ordered items.
  • 1,570 dealer websites (1,091 of those are active). It was possible to modify any of these sites.
  • 3,588 dealer users/accounts (includes first & last name, email address). It was possible to change the password of any of these users.
  • 1,090 dealer emails (includes first & last name).
  • 11,034 customer emails (includes first & last name).
  • Potentially: Stripe, PayPal, and private keys for dealers who provided them.
  • Internal financial reports.
Exposed customer emails

The researcher mentioned that the “powerdealer[.]” subdomains are given to authorized resellers and dealers by Honda’s e-commerce platform, which contains the API issue.

He discovered that the Power Equipment Tech Express (PETE) password reset API on one of Honda’s websites performed reset requests without a token or the prior password and only required a valid email.

Despite the absence of this vulnerability on the e-commerce subdomains login portal, anyone can access internal dealership data using this straightforward attack because the credentials changed on the PETE site would still work there.

Password reset API request sent to PETE
Password reset API request sent to PETE

The researcher obtained a legitimate dealer email address from a YouTube video that showed how to use a test account to access the dealer dashboard.

Test account email exposed on YouTube video

YouTube video exposes test account email

“This platform assigns numeric IDs to everything from orders to sites. The IDs were sequential so just adding +1 to the current ID would bring you to the next record”, the researcher explained.

The browser address bar displayed the ID that was given to each dealer site. He discovered that he could access the dashboard of a different dealer by altering that ID.

Adding +1 to the current ID would bring you to the next record

The last stage of the operation was to get access to Honda’s admin panel, which serves as the main management interface for the company’s e-commerce platform.

By altering an HTTP response to make it appear as though he was an admin, the researcher gained unrestricted access to the Honda Dealer Sites platform.

The Honda Dealer Sites admin panel
The Honda Dealer Sites admin panel

The Researcher said that highly targeted phishing campaigns might be developed with access to more than 21,000 client orders to deceive customers into submitting even more sensitive data or to try and install malware on their devices.

Also, more than 1000 active websites could have been secretly changed to include dangerous malware like credit card skimmers and crypto miners.

Stop Advanced Email Threats That Target Your Business Email – Try AI-Powered Email Security


Latest articles

Cactus Ransomware Exploiting Qlik Sense code execution Vulnerability

A new Cactus Ransomware was exploited in the code execution vulnerability to Qlik Sense...

Hackers Bypass Antivirus with ScrubCrypt Tool to Install RedLine Malware

The ScrubCrypt obfuscation tool has been discovered to be utilized in attacks to disseminate the RedLine Stealer...

Hotel’s Hacked Logins Let Attacker Steal Guest Credit Cards

According to a recent report by Secureworks, a well-planned and advanced phishing attack was...

Critical Zoom Vulnerability Let Attackers Take Over Meetings

Zoom, the most widely used video conferencing platform has been discovered with a critical...

Hackers Using Weaponized Invoice to Deliver LUMMA Malware

Hackers use weaponized invoices to exploit trust in financial transactions, embedding malware or malicious...

US-Seized Crypto Currency Mixer Used by North Korean Lazarus Hackers

The U.S. Treasury Department sanctioned the famous cryptocurrency mixer Sinbad after it was claimed...

CISA Warns Hackers Exploiting Wastewater Systems Logic Controllers

In a disconcerting turn of events, cyber threat actors have set their sights on...

API Attack Simulation Webinar

Live API Attack Simulation

In the upcoming webinar, Karthik Krishnamoorthy, CTO and Vivek Gopalan, VP of Products at Indusface demonstrate how APIs could be hacked.The session will cover:an exploit of OWASP API Top 10 vulnerability, a brute force account take-over (ATO) attack on API, a DDoS attack on an API, how a WAAP could bolster security over an API gateway

Related Articles