UPDATED 20:47 EST / JUNE 08 2023

SECURITY

Vulnerability on Honda platform could have exposed customer and dealer details

A recently detailed vulnerability in an e-commerce platform offered by Honda Motor Co. Ltd. could have exposed the details of both Honda customers and dealers.

First detailed June 6 by security researcher Eaton Zveare, the flaw in the platform was due to a password reset application programming interface that could allow an attacker to reset passwords for any account and fault access controls providing access to all data on the platform.

Using the vulnerability, Zveare was able to obtain admin-level access. With the access, he was able to access 21,393 customer orders, including personal information and items ordered, 1,570 dealer websites, 3,588 dealer accounts, 1,090 dealer emails, 11,034 customer emails, potentially private keys for Stripe Inc., PayPal Holdings Inc. and Authorize.net from dealers and internal financial reports.

Zveare did note that the issue did not affect Honda’s automobile business but was exclusive to Honda’s other product lines sold online, such as power equipment, marine and lawn and garden products. It’s uncertain exactly how long the vulnerability was exposed, but Honda’s e-commerce platform and dealer sites have been operating since 2016.

After being contacted with the details in April, Honda patched the issue before Zveare went public. Zveare was previously in the news in February when he disclosed details of a vulnerability in Toyota’s Global Supplier Preparation Information Management System.

“Just as with the Toyota hack, finding an API that allowed for privileged access was a great way to get in,” Jason Kent, hacker in residence at API security company Cequence Security Inc., told SiliconANGLE. “It’s interesting they found that while trying a standard password reset attack but realized it would be way less noisy to attack the token directly.”

Kent noted that API Security is immature, but application security, the basis for it, has been around for the better part of three decades.

“The lessons we thought we had learned in AppSec, don’t seem to be resonating with the same communities that are looking after APIs,” Kent added. “If the technique works at my neighbor, it will probably work on me, needs to be a priority. Taking the lessons learned from the industry and applying them, is the only way we are going to make things better.”

Photo: Pixnio

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU