Password Reset Hack Revealed in Honda E-Commerce Platform, Dealer Data is at Risk
A security vulnerability discovered in Honda’s e-commerce platform could have been exploited to gain unrestricted access to sensitive dealer information.
“Broken/lost access controls made it possible to access all data on the platform, even when logged in as a test account,” security researcher Eaton Zveare said in a report published last week.
That platforms designed for the sale of electrical equipment, marine, lawn and garden businesses. It had no impact on the company’s Japanese auto division.
The hack is, in short, exploiting a password reset mechanism on one of Honda’s sites, Power Equipment Tech Express (PETE), to reset the password associated with any account and gain full admin-level access.
This is possible due to the fact that the API allows any user to send a password reset request knowing only the username or email address and without having to enter the password associated with that account.
Armed with this capability, bad actors can log in and take over other accounts, and then take advantage of the sequential nature of dealer site URLs (i.e., “admin.pedealer.honda(.)com/dealersite/
“Just by adding that ID, I can get access to every dealer’s data,” explains Zveare. “The underlying JavaScript code takes that ID and uses it in an API call to fetch the data and display it on the page. Fortunately, this discovery makes the need for a password reset moot.”
Even worse, the design flaw could have been used to access dealer customers, edit their websites and products, and even worse, give platform-wide administrator privileges – a feature restricted to Honda employees – in a tailor-made way. request to view dealer network details.
🔐 Mastering API Security: Understanding Your True Attack Surface
Find untapped vulnerabilities in your API ecosystem and take proactive steps towards tight security. Join our insightful webinar!
Overall, the flaws allowed unauthorized access to 21,393 customer orders across all dealerships from August 2016 to March 2023 1,570 dealer websites (1,091 of which were active), 3,588 dealer accounts, 1,090 dealer emails, and 11,034 customer emails.
Threat actors can also take advantage of access to these dealer websites by installing skimmers or cryptocurrency mining codes, thereby enabling them to make illegal profits.
The vulnerability, following responsible disclosure on March 16, 2023, was addressed by Honda on April 3, 2023.
The disclosure comes months after Zveare detailed security issues in Toyota’s Global Supplier Preparatory Information Management System (GSPIM) And C360 CRM which can be used to access a lot of corporate and customer data.
