Password Reset Hack Uncovered in Honda’s E-Commerce Platform, Dealers Details at Danger

Jun 12, 2023Ravie LakshmananFacts Basic safety / Hacking

Stability vulnerabilities learned in Honda’s e-commerce system could have been exploited to acquire unrestricted obtain to delicate supplier details.

“Damaged/lacking access controls made it possible to entry all information on the system, even when logged in as a test account,” protection researcher Eaton Zveare mentioned in a report published past 7 days.

The platform is created for the sale of energy products, marine, garden and yard corporations. It does not influence the Japanese company’s automobile division.

The hack, in a nutshell, exploits a password reset system on one particular of Honda’s web-sites, Electrical power Products Tech Express (PETE), to reset the password affiliated with any account and acquire total admin-stage entry.

This is manufactured probable because of to the fact that the API permits any person to send out a password reset ask for just by just realizing the username or electronic mail deal with and without having acquiring to enter a password tied to that account.

Armed with this ability, a destructive actor could indication in and takeover yet another account, and subsequently choose advantage of the sequential nature of the dealer website URLs (i.e., “admin.pedealer.honda[.]com/dealersite//dashboard) to gain unauthorized access to a various dealer’s admin dashboard.

“Just by incrementing that ID, I could get entry to every single dealers’ knowledge,” Zveare stated. “The fundamental JavaScript code can take that ID and works by using it in API calls to fetch facts and show it on the web page. Thankfully, this discovery rendered the have to have to reset any additional passwords moot.”

To make issues worse, the structure flaw could have been made use of to accessibility a dealer’s clients, edit their site and goods, and worse, elevate privileges to the administrator of the overall system – a feature restricted to Honda employees – by implies of a specifically crafted ask for to look at specifics of the seller network.

In all, the weaknesses authorized for illegitimate accessibility to 21,393 customer orders across all dealers from August 2016 to March 2023 1,570 vendor websites (of which 1,091 are lively), 3,588 dealer accounts, 1,090 seller e-mails, and 11,034 shopper e-mail.

Danger actors could also leverage access to these dealer internet websites by planting skimmer or cryptocurrency mining code, thereby enabling them to enjoy illicit gains.

The vulnerabilities, adhering to responsible disclosure on March 16, 2023, have been addressed by Honda as of April 3, 2023.

The disclosure arrives months soon after Zveare thorough protection problems in Toyota’s World-wide Supplier Preparing Information Administration Program (GSPIMS) and C360 CRM that could have been leveraged to obtain a prosperity of company and customer data.