News

Honda leaked customer, dealer and internal documents due to API vulnerability

Security Parrot Editorial Team

Honda’s E-Commerce Platform Vulnerable to Unauthorized Access

Honda’s e-commerce platform for power equipment, outboard motors and garden equipment has been vulnerable to unauthorized access, allowing anyone to use a bug in the API and reset the password for any account. Security researcher Eaton Zveare discovered the issue, which did not affect the owners of Honda cars and motorcycles.

Vulnerability Discovered in Password Reset API

Zveare found that the password reset API allowed for the reset of passwords from important accounts, granting unlimited access to data at the administrator level.
“Broken and missing access controls allowed access to all data on the platform, even when signed in as a test account,” explains Zveare.
The flaw in the API was related to Honda’s e-commerce platform, which assigns powerdealer.honda.com subdomains to registered resellers and dealers. A password reset API on one of Honda’s sites, Power Equipment Tech Express (PETE), handled password reset requests without a token or previous password, requiring only a valid email address.
Although the vulnerability did not manifest itself in the login portal itself, the credentials passed through PETE still worked, so anyone could access the dealers’ internal data.

Data Exposed

Having studied the Honda platform and its shortcomings, the researcher found the following information:
– 21,393 customer orders and the period from August 2016 to March 2023 (including the customer’s name, address, telephone number and ordered goods);
– 1,570 dealer sites (of which 1,091 are active), any of which could be modified;
– 3588 users/dealer accounts (including first and last name, e-mail address), for each of which it was possible to change the password;
– 1090 dealer emails (contain first and last name);
– 11,034 customer emails (contain first and last name);
– In theory, the private keys of Stripe, PayPal and Authorize.net for the dealers who provided them;
– Internal financial reports.
The listed data could be used to organize phishing campaigns, social engineering attacks, or could be sold on hacker forums and darknet marketplaces. In addition, having access to the websites of dealers, attackers could inject web skimmers and other malware into their code.

Honda Resolves Issue

The expert notified Honda of his findings as early as March 16, 2023, and on April 3, 2023, the company confirmed that all issues had been resolved. Since Honda does not have a bug bounty program, Zveare received no reward for his research.

Weekly Updates For Our Loyal Readers!

Share this Article
Lost your password?