Honda’s e-commerce platform for power equipment, marine, lawn & garden, was vulnerable to unauthorized access by anyone due to API flaws that allow password reset for any account.
Honda is a Japanese manufacturer of automobiles, motorcycles, and power equipment. In this case, only the latter division is impacted, so owners of Honda cars or motorcycles aren’t affected.
The security gap in Honda’s systems was discovered by security researcher Eaton Zveare, the same who breached Toyota’s supplier portal a few months back, leveraging similar vulnerabilities.
For Honda, Eaton Works exploited a password reset API to reset the password of valuable accounts and then enjoy unrestricted admin-level data access on the firm’s network.
“Broken/missing access controls made it possible to access all data on the platform, even when logged in as a test account,” explains the researcher.
As a result, the following information was exposed to the security researcher and possibly to threat actors leveraging the same vulnerability:
21,393 customer orders across all dealers from August 2016 to March 2023 – this includes customer name, address, phone number, and items ordered.
1,570 dealer websites (1,091 of those are active). It was possible to modify any of these sites.
3,588 dealer users/accounts (includes first & last name, email address). It was possible to change the password of any of these users.
1,090 dealer emails (includes first & last name).
11,034 customer emails (includes first & last name).
Potentially: Stripe, PayPal, and Authorize.net private keys for dealers who provided them.
Internal financial reports.
The above data could be used for launching phishing campaigns, social engineering attacks, or sold on hacker forums and dark web markets.
Also, having access to the dealer sites, attackers could plant credit card skimmers or other malicious JavaScript snippets.
Accessing admin panels
Zveare explains that the API flaw lay in Honda’s e-commerce platform, which assigns “powerdealer.honda.com” subdomains to registered resellers/dealers.
The researcher found that the password reset API on one of Honda’s sites, Power Equipment Tech Express (PETE), processed reset requests without a token or the previous password, only requiring a valid email.
While this vulnerability isn’t present on the e-commerce subdomains login portal, the credentials switched through the PETE site will still work on them, so anyone can access internal dealership data through this simple attack.
The only missing piece is having a valid email address belonging to a dealer, which the researcher procured from a YouTube video that demoed the dealer dashboard using a test account.
The next step was accessing information from real dealers besides the test account. However, it would be preferable to do so without disrupting their operation and without having to reset the passwords of hundreds of accounts.
The solution the researcher found was to leverage a second vulnerability, which is the sequential assignment of user IDs in the platform and the lack of access protections.
This made it possible to access the data panels of all Honda dealers arbitrarily by incrementing the user ID by one until there weren’t any other results.
“Just by incrementing that ID I could gain access to every dealer’s data. The underlying JavaScript code takes that ID and uses it in API calls to fetch data and display it on the page. Thankfully, this discovery rendered the need to reset anymore passwords moot.” said Zvaere.
It is worth noting that the above flaw could have been exploited by Honda’s registered dealers to access the panels of other dealers, and by extension, their orders, customer details, etc.
The final step of the attack was to access Honda’s admin panel, which is the central control point for the firm’s e-commerce platform.
The researcher accessed it by modifying an HTTP response to make it appear like he was an admin, giving him unlimited access to the Honda Dealer Sites platform.
The above was reported to Honda on March 16, 2023, and by April 3, 2023, the Japanese firm confirmed that all problems had been fixed.
Having no bug bounty program in place, Honda did not reward Zveare for his responsible reporting, which is the same outcome as in the Toyota case.