A researcher has disclosed the details of serious vulnerabilities discovered in a Honda ecommerce platform used for equipment sales. Exploitation of the flaws could have allowed an attacker to gain access to customer and dealer information.
The security holes and the data exposure were discovered earlier this year by US-based researcher Eaton Zveare, who notified Honda about his findings in mid-March. The vendor immediately took steps to address the issues and thanked the white hat hacker for his work, but did not reward him as it does not have a bug bounty program. Honda said it did not find any evidence of malicious exploitation.
While Honda is best known for its cars, the ecommerce platform analyzed by Zveare is designed for the sales of Honda power equipment (generators, pumps, lawn mowers), and boat engines and accessories.
The platform powers Honda Dealer Sites, a service that dealers can use to create websites where they sell Honda products. Dealers need to create an account and are then provided all the tools they need to create a website, promote it, and handle product orders.
The researcher discovered a password reset API vulnerability in an admin dashboard that allowed him to reset the password of a test account set up by Honda. While that only gave him access to the test account, he discovered an insecure direct object references (IDOR) vulnerability that gave him access to every dealer’s data simply by changing the value of an ID in the admin panel’s URL.
From the dealer admin dashboard he was also able to elevate privileges to administrator of the entire platform — functionality reserved for Honda employees — using a specially crafted request. This administration panel provided an overview of the dealer network, including the amount of money earned in subscription fees.
Zveare said he had gained access to more than 21,000 customer orders ranging from 2016 to 2023, including name, address, phone number and information on the ordered items. The vulnerabilities also exposed 1,500 dealer sites that could have been modified by the attacker.
In addition, the researcher found more than 3,500 dealer accounts for which he could have changed the password, roughly 1,000 dealer email addresses, and 11,000 customer emails addresses. He believes it may have also been possible to obtain the private keys provided by some dealers for payment services such as PayPal, Stripe and Authorize.net.
“With access to more than 21k customer orders, highly targeted phishing campaigns could be created to trick customers into providing even more valuable data, or to try and install malware on their devices. Another possibility would have been to check for new Honda orders every day and send phishing emails to customers disguised as ‘Register your new Honda product’ or ‘You mistyped your credit card number, click here to correct it’,” the researcher wrote in a blog post regarding potential impact.
He added, “The most significant issue I can think of is the access to the dealer sites. There are more than 1k active sites that could have been covertly updated to add malicious code such as cryptominers and credit card skimmers. Of course, it’s possible some astute dealers may discover such website changes, but they might chalk it up to themselves being hacked and change their dealer account password. Unfortunately, there is nothing any dealer could have done to protect their store from this attack.”
Earlier this year, Zveare reported finding a vulnerability in a Toyota customer relationship management (CRM) platform, which could have been exploited to access the personal information of customers in Mexico.