SECURITY
SECURITY
SECURITY
Vulnerability on Honda platform could have exposed customer and dealer details
A recently detailed vulnerability in an e-commerce platform offered by Honda Motor Co. Ltd. could have exposed the details of both Honda customers and dealers.
First detailed June 6 by security researcher Eaton Zveare, the flaw in the platform was due to a password reset application programming interface that could allow an attacker to reset passwords for any account and fault access controls providing access to all data on the platform.
Using the vulnerability, Zveare was able to obtain admin-level access. With the access, he was able to access 21,393 customer orders, including personal information and items ordered, 1,570 dealer websites, 3,588 dealer accounts, 1,090 dealer emails, 11,034 customer emails, potentially private keys for Stripe Inc., PayPal Holdings Inc. and Authorize.net from dealers and internal financial reports.
Zveare did note that the issue did not affect Honda’s automobile business but was exclusive to Honda’s other product lines sold online, such as power equipment, marine and lawn and garden products. It’s uncertain exactly how long the vulnerability was exposed, but Honda’s e-commerce platform and dealer sites have been operating since 2016.
After being contacted with the details in April, Honda patched the issue before Zveare went public. Zveare was previously in the news in February when he disclosed details of a vulnerability in Toyota’s Global Supplier Preparation Information Management System.
“Just as with the Toyota hack, finding an API that allowed for privileged access was a great way to get in,” Jason Kent, hacker in residence at API security company Cequence Security Inc., told SiliconANGLE. “It’s interesting they found that while trying a standard password reset attack but realized it would be way less noisy to attack the token directly.”
Kent noted that API Security is immature, but application security, the basis for it, has been around for the better part of three decades.
“The lessons we thought we had learned in AppSec, don’t seem to be resonating with the same communities that are looking after APIs,” Kent added. “If the technique works at my neighbor, it will probably work on me, needs to be a priority. Taking the lessons learned from the industry and applying them, is the only way we are going to make things better.”
Photo: Pixnio
A message from John Furrier, co-founder of SiliconANGLE:
Support our mission to keep content open and free by engaging with theCUBE community. Join theCUBE’s Alumni Trust Network, where technology leaders connect, share intelligence and create opportunities.
- 15M+ viewers of theCUBE videos, powering conversations across AI, cloud, cybersecurity and more
- 11.4k+ theCUBE alumni — Connect with more than 11,400 tech and business leaders shaping the future through a unique trusted-based network.
About SiliconANGLE Media
SiliconANGLE Media is a recognized leader in digital media innovation, uniting breakthrough technology, strategic insights and real-time audience engagement. As the parent company of SiliconANGLE, theCUBE Network, theCUBE Research, CUBE365, theCUBE AI and theCUBE SuperStudios — with flagship locations in Silicon Valley and the New York Stock Exchange — SiliconANGLE Media operates at the intersection of media, technology and AI.
Founded by tech visionaries John Furrier and Dave Vellante, SiliconANGLE Media has built a dynamic ecosystem of industry-leading digital media brands that reach 15+ million elite tech professionals. Our new proprietary theCUBE AI Video Cloud is breaking ground in audience interaction, leveraging theCUBEai.com neural network to help technology companies make data-driven decisions and stay at the forefront of industry conversations.
