Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Breaches

Vulnerabilities in Honda eCommerce Platform Exposed Customer, Dealer Data

Vulnerabilities found by a researcher in a Honda ecommerce platform used for equipment sales exposed customer and dealer information.

A researcher has disclosed the details of serious vulnerabilities discovered in a Honda ecommerce platform used for equipment sales. Exploitation of the flaws could have allowed an attacker to gain access to customer and dealer information.

The security holes and the data exposure were discovered earlier this year by US-based researcher Eaton Zveare, who notified Honda about his findings in mid-March. The vendor immediately took steps to address the issues and thanked the white hat hacker for his work, but did not reward him as it does not have a bug bounty program. Honda said it did not find any evidence of malicious exploitation. 

While Honda is best known for its cars, the ecommerce platform analyzed by Zveare is designed for the sales of Honda power equipment (generators, pumps, lawn mowers), and boat engines and accessories. 

The platform powers Honda Dealer Sites, a service that dealers can use to create websites where they sell Honda products. Dealers need to create an account and are then provided all the tools they need to create a website, promote it, and handle product orders. 

The researcher discovered a password reset API vulnerability in an admin dashboard that allowed him to reset the password of a test account set up by Honda. While that only gave him access to the test account, he discovered an insecure direct object references (IDOR) vulnerability that gave him access to every dealer’s data simply by changing the value of an ID in the admin panel’s URL.

From the dealer admin dashboard he was also able to elevate privileges to administrator of the entire platform — functionality reserved for Honda employees — using a specially crafted request. This administration panel provided an overview of the dealer network, including the amount of money earned in subscription fees. 

Zveare said he had gained access to more than 21,000 customer orders ranging from 2016 to 2023, including name, address, phone number and information on the ordered items. The vulnerabilities also exposed 1,500 dealer sites that could have been modified by the attacker.

In addition, the researcher found more than 3,500 dealer accounts for which he could have changed the password, roughly 1,000 dealer email addresses, and 11,000 customer emails addresses.  He believes it may have also been possible to obtain the private keys provided by some dealers for payment services such as PayPal, Stripe and Authorize.net.

Advertisement. Scroll to continue reading.

“With access to more than 21k customer orders, highly targeted phishing campaigns could be created to trick customers into providing even more valuable data, or to try and install malware on their devices. Another possibility would have been to check for new Honda orders every day and send phishing emails to customers disguised as ‘Register your new Honda product’ or ‘You mistyped your credit card number, click here to correct it’,” the researcher wrote in a blog post regarding potential impact.

He added, “The most significant issue I can think of is the access to the dealer sites. There are more than 1k active sites that could have been covertly updated to add malicious code such as cryptominers and credit card skimmers. Of course, it’s possible some astute dealers may discover such website changes, but they might chalk it up to themselves being hacked and change their dealer account password. Unfortunately, there is nothing any dealer could have done to protect their store from this attack.”

Earlier this year, Zveare reported finding a vulnerability in a Toyota customer relationship management (CRM) platform, which could have been exploited to access the personal information of customers in Mexico.

Related: Toyota Discloses New Data Breach Involving Vehicle, Customer Information

Related: Honda Admits Hackers Could Unlock Car Doors, Start Engines

Related: Toyota: Data on More Than 2 Million Vehicles in Japan Were at Risk in Decade-Long Breach

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...