Honda’s E-Commerce Platform’s Password Reset Bug Puts Dealer Data at Risk

As e-commerce organizations grow more multichannel, they construct and deploy an increasing number of API interfaces, and threat actors continually look for new ways to exploit vulnerabilities, cyberattacks against e-commerce applications are expected to increase in frequency in 2023.

Because of this, consistent testing and monitoring are required to adequately secure online applications, revealing flaws so they may be rapidly fixed. The recent attack on the Honda e-commerce platform, how it occurred, and its effects on the company and its customers will all be covered in this article.

We will examine the various areas of vulnerability testing and its numerous phases in addition to the significance of application security testing.

The 2023 Honda E-commerce Platform Attack

The commerce platform for Honda’s power tools, lawn and garden products, and marine products had an API weakness that let anyone request a password reset for any account.

Researcher Eaton Zveare, who recently identified a significant security hole in Toyota’s supplier portal, discovered the issue. A threat actor was given unrestricted admin-level data access to the company’s network by changing the passwords of higher-level accounts.

This might have led to a significant data breach with far-reaching consequences if it had been found by a cybercriminal.

The tester was able to access the following data as a result:

  • Between August 2016 and March 2023, nearly 24,000 client orders—which included the customer’s name, address, and phone number—were placed at all Honda dealerships.
  • 1,091 active dealer websites with editing capabilities.
  • 3,588 dealer users and accounts with personal information.
  • 11,034 emails from clients with first and last names.
  • 1,090 emails from dealers.
  • Honda’s internal financial statements.

With the information mentioned above, cybercriminals might carry out a variety of tasks, including phishing campaigns, social engineering assaults, and the illicit sale of information on the dark web.

The platform is made for firms selling lawn & garden, marine, and power equipment.

How Was The Vulnerability Discovered

Registered dealers are given “powerdealer.honda.com” subdomains on the Honda e-commerce platform. On one of Honda’s websites, Power Equipment Tech Express (PETE), Zveare found that the password reset API was processing requests without requesting the prior password.

A YouTube video showing a dealer dashboard demo utilizing a test account helped find a working email address. Once reset, these login details could be used to access internal dealership data on any Honda e-commerce subdomain login page.

The tester then wanted to log into real dealers’ accounts without being seen and without having to reset the passwords for hundreds of accounts. Zveare discovered a platform hole in JavaScript, the sequential assignment of user IDs, and a lack of access security in order to accomplish this.

Therefore, live accounts might be located by increasing the user ID by one until no more results were returned.

Finally, by altering an HTTP response to make it look like the exploited account was an admin, the platform’s admin panel could be completely accessed.

In total, the flaws permitted unauthorized access to 21,393 client orders across all dealers from August 2016 to March 2023, including 3,588 dealer accounts, 1,090 dealer emails, 1,570 dealer websites (of which 1,091 are active), and 11,034 customer emails.

Honda has fixed the vulnerabilities after a timely disclosure on March 16, 2023.

ARE YOU INTRESRED IN CYBER SECURITY  ENROLL OUR COURSE CCEH COURSE CRYPTUS CYBER SECURITY

 

Leave a Reply

Your email address will not be published. Required fields are marked *