A recently detailed vulnerability in an e-commerce platform offered by Honda Motor Co. Ltd. could have exposed the details of both Honda customers and dealers.

First detailed June 6 by security researcher Eaton Zveare, the flaw in the platform was due to a password reset application programming interface that could allow an attacker to reset passwords for any account and fault access controls providing access to all data on the platform.

Using the vulnerability, Zveare was able to obtain admin-level access. With the access, he was able to access 21,393 customer orders, including personal information and items ordered, 1,570 dealer websites, 3,588 dealer accounts, 1,090 dealer emails, 11,034 customer emails, potentially private keys for Stripe Inc., PayPal Holdings Inc. and Authorize.net from dealers and internal financial reports.

Zveare did note that the issue did not affect Honda’s automobile business but was exclusive to Honda’s other product lines sold online, such as power equipment, marine and lawn and garden products. It’s uncertain exactly how long the vulnerability was exposed, but Honda’s e-commerce platform and dealer sites have been operating since 2016.

After being contacted with the details in April, Honda patched the issue before Zveare went public. Zveare was previously in the news in February when he disclosed details of a vulnerability in Toyota’s Global Supplier Preparation Information Management System.

“Just as with the Toyota hack, finding an API that allowed for privileged access was a great way to get in,” Jason Kent, hacker in residence at API security company Cequence Security Inc., told SiliconANGLE. “It’s interesting they found that while trying a standard password reset attack but realized it would be way less noisy to attack the token directly.”

Kent noted that API Security is immature, but application security, the basis for it, has been around for the better part of three decades.

“The lessons we thought we had learned in AppSec, don’t seem to be resonating with the same communities that are looking after APIs,” Kent added. “If the technique works at my neighbor, it will probably work on me, needs to be a priority. Taking the lessons learned from the industry and applying them, is the only way we are going to make things better.”

Photo: Pixnio