Honda E-Commerce Platform Was Vulnerable To Unauthorized Access Due To API Flaws

Posted on June 8, 2023 at 4:12 AM

Honda E-Commerce Platform Was Vulnerable To Unauthorized Access Due To API Flaws

The Honda e-commerce platform that is used for marine, power equipment, lawn and garden is vulnerable to unauthorized access. This platform can be accessed by anyone because of API flaws that support a password reset on any account.

Honda is vulnerable to exploits because of API flaws

Honda is a manufacturer based in Japan. The manufacturer deals in a wide range of products, including motorcycles, automobiles and power equipment. The division that has been affected by this vulnerability is the power equipment one. As such, those who own Honda cars and motorcycles have not been affected.

The security issue that is facing Honda systems was detected by a security researcher known as Eaton Zveare. The same threat actor was behind a breach on the Toyota supplier portal that happened a few months ago that exploited similar vulnerabilities on the platform.

The security researcher demonstrated this exploit by targeting a password reset API that resets the password of user accounts. A malicious actor that gains unauthorized access can enjoy unlimited data access on the company’s network. The researcher noted that it was possible to access this data because of broken or missing access controls when one has signed into a test account.

By exploiting this flaw, the security researcher had a wide range of information being exposed. The researcher accessed 21,393 customer orders from August 2016 to March 2023, with the exposed details including phone numbers, addresses, customer names and items ordered.

The exposed information also included 1,570 dealer websites, 3,588 dealer users or accounts with the researcher being able to alter the password of these users. It has also exposed 1,090 dealer emails, 11,034 customer emails, and internal financial reports. It is also possible that they accessed the PayPal, Stripe and Authorize.net private keys for the dealers who offered them.

The data that was exposed to these hackers could be used to conduct phishing attacks and trigger social engineering attacks. The information can also be sold on hacker forums or on the dark web marketplace. Besides having access to these dealer sites, attackers can create credit card skimmers and malicious JavaScript snippets.

Obtaining access to admin panels

Zveare has also explained that the API vulnerability existed within the Honda e-commerce platform that assigned the “powerdealer.honda.com” subdomains to the registered dealers and resellers.

The researcher has also observed that the password reset API on one of the sites owned by Honda, Power Equipment Tech Express (PETE), processed reset requests without the need for a token or the previous password. The only thing required to perform this function is a valid email address.

The vulnerability in question does not exist on the e-commerce subdomains login portal. The credentials that have been switched through the PETE site can still work, which will give anyone access to internal dealership data after the simple attack.

The only thing that the attacker might not have access to is a valid email address that belongs to a dealer. The researcher also created a YouTube video that demonstrated the dealer dashboard through a test account.

It is also possible to exploit the flaw to obtain information from real dealers besides the test account. However, it is recommended that one accesses the information without causing a disruption to the operations and without the need to reset the passwords belonging to hundreds of accounts.

The solution made it possible to access the data panels belonging to all Honda dealers by adding a higher digit to the user ID until there were no further results. Zvaere added that the underlying JavaScript code that took an ID is used in API calls to fetch data and to display this data on the page.

The flaw that exists on the Honda devices could have been exploited by registered dealers at Honda. The flaw could allow these dealers to access the panels owned by other dealers including the customer details and orders. The last stage of the attack includes gaining access to the Honda admin panel that is the focal point of the Honda e-commerce platform.

According to the researcher, access was granted through modifying a HTTP response that made it look like he was an admin, while also granting him unlimited access to the Honda Dealer Sites platform. The flaw was reported to Honda on March 16, 2023 and the firm has already issued a patch confirming the problems were fixed. However, Zvaere has not been rewarded as there is no bug bounty program in place.

Summary
Honda E-Commerce Platform Was Vulnerable To Unauthorized Access Due To API Flaws
Article Name
Honda E-Commerce Platform Was Vulnerable To Unauthorized Access Due To API Flaws
Description
Honda e-commerce platform is vulnerable to unauthorized access. A malicious actor can gain access by exploiting API flaws. The researcher also targets a password reset API.
Author
Publisher Name
Koddos
Publisher Logo

Share this:

Related Stories:

Newsletter

Get the latest stories straight
into your inbox!

YOUTUBE

Discover more from KoDDoS Blog

Subscribe now to keep reading and get access to the full archive.

Continue reading