Password Reset Hack Exposed in Honda’s E-Commerce Platform, Dealers Data at Risk

Password Reset Hack

Security vulnerabilities discovered in Honda’s e-commerce platform could have been exploited to gain unrestricted access to sensitive dealer information.

“Broken/missing access controls made it possible to access all data on the platform, even when logged in as a test account,” security researcher Eaton Zveare said in a report published last week.

The platform is designed for the sale of power equipment, marine, lawn and garden businesses. It does not impact the Japanese company’s automobile division.

The hack, in a nutshell, exploits a password reset mechanism on one of Honda’s sites, Power Equipment Tech Express (PETE), to reset the password associated with any account and obtain full admin-level access.

Cybersecurity

This is made possible due to the fact that the API allows any user to send a password reset request simply by just knowing the username or email address and without having to enter a password tied to that account.

Armed with this capability, a malicious actor could sign in and takeover another account, and subsequently take advantage of the sequential nature of the dealer site URLs (i.e., “admin.pedealer.honda[.]com/dealersite/<ID>/dashboard) to gain unauthorized access to a different dealer’s admin dashboard.

Honda E-commerce

“Just by incrementing that ID, I could gain access to every dealers’ data,” Zveare explained. “The underlying JavaScript code takes that ID and uses it in API calls to fetch data and display it on the page. Thankfully, this discovery rendered the need to reset any more passwords moot.”

To make matters worse, the design flaw could have been used to access a dealer’s customers, edit their website and products, and worse, elevate privileges to the administrator of the entire platform – a feature restricted to Honda employees – by means of a specially crafted request to view details of the dealer network.

UPCOMING WEBINAR
🔐 Mastering API Security: Understanding Your True Attack Surface

Discover the untapped vulnerabilities in your API ecosystem and take proactive steps towards ironclad security. Join our insightful webinar!

Join Now

In all, the weaknesses allowed for illegitimate access to 21,393 customer orders across all dealers from August 2016 to March 2023 1,570 dealer websites (of which 1,091 are active), 3,588 dealer accounts, 1,090 dealer emails, and 11,034 customer emails.

Threat actors could also leverage access to these dealer websites by planting skimmer or cryptocurrency mining code, thereby allowing them to reap illicit profits.

The vulnerabilities, following responsible disclosure on March 16, 2023, have been addressed by Honda as of April 3, 2023.

The disclosure comes months after Zveare detailed security issues in Toyota’s Global Supplier Preparation Information Management System (GSPIMS) and C360 CRM that could have been leveraged to access a wealth of corporate and customer data.



Original Source


 

A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below

Buy Me A Coffee
Patreon

 To keep up to date follow us on the below channels.

join
Telegram
discord
Discord
reddit
Reddit
linkedin
LinkedIn