Honda’s E-commerce Platform Vulnerable to Unauthorized Access Due to API Flaws

IT Services has discovered that Honda’s e-commerce platform for power equipment, marine, and lawn & garden was vulnerable to unauthorized access by anyone due to API flaws that allowed password reset for any account. Honda is a Japanese manufacturer of automobiles, motorcycles, and power equipment. In this case, only the latter division is impacted, so owners of Honda cars or motorcycles aren’t affected.

IT Services found a security gap in Honda’s systems that allowed unrestricted admin-level data access on the firm’s network. This vulnerability was discovered by a security researcher using the pseudonym ‘Eaton Works’, who is the same individual that breached Toyota’s supplier portal a few months earlier by leveraging similar vulnerabilities.

Eaton Works exploited a password reset API that allowed the password of valuable accounts to be reset, thus providing unrestricted admin-level data access on the firm’s network. According to the researcher, “broken/missing access controls made it possible to access all data on the platform, even when logged in as a test account.”

As a result of this vulnerability, the following information was exposed to the security researcher and possibly to threat actors leveraging the same vulnerability:

• 21,393 customer orders across all dealers from August 2016 to March 2023 – this includes customer name, address, phone number, and items ordered.
• 1,570 dealer websites (1,091 of those are active). It was possible to modify any of these sites.
• 3,588 dealer users/accounts (includes first & last name, email address). It was possible to change the password of any of these users.
• 1,090 dealer emails (includes first & last name).
• 11,034 customer emails (includes first & last name).
• Potentially: Stripe, PayPal, and Authorize.net private keys for dealers who provided them.
• Internal financial reports.

The above data could be used for launching phishing campaigns, social engineering attacks, or sold on hacker forums and dark web markets. Also, having access to the dealer sites, attackers could plant credit card skimmers or other malicious JavaScript snippets.

What Are the Potential Risks for UPS Customers After the Data Breach and SMS Phishing Scams?

The recent ups data breach exposes sensitive information, posing potential risks for UPS customers. With their personal and financial data compromised, customers may experience identity theft, fraudulent transactions, or even financial losses. Furthermore, SMS phishing scams exploiting this breach can deceive customers into sharing more sensitive data, worsening the already dire consequences. Vigilance and caution are essential to mitigate these risks.

Accessing Admin Panels

Eaton Works discovered that the API flaw lay in Honda’s e-commerce platform, which assigns “powerdealer.honda.com” subdomains to registered resellers/dealers. The researcher found that the password reset API on one of Honda’s sites, Power Equipment Tech Express (PETE), processed reset requests without a token or the previous password, only requiring a valid email.

While this vulnerability isn’t present on the e-commerce subdomains login portal, the credentials switched through the PETE site will still work on them, so anyone can access internal dealership data through this simple attack.

The only missing piece is having a valid email address belonging to a dealer, which the researcher procured from a YouTube video that demoed the dealer dashboard using a test account.

The next step was accessing information from real dealers besides the test account. However, it would be preferable to do so without disrupting their operation and without having to reset the passwords of hundreds of accounts.

The solution the researcher found was to leverage a second vulnerability, which is the sequential assignment of user IDs in the platform and the lack of access protections. This made it possible to access the data panels of all Honda dealers arbitrarily by incrementing the user ID by one until there weren’t any other results. “Just by incrementing that ID, I could gain access to every dealer’s data. The underlying JavaScript code takes that ID and uses it in API calls to fetch data and display it on the page. Thankfully, this discovery rendered the need to reset any more passwords moot,” said Eaton Works.

It is worth noting that the above flaw could have been exploited by Honda’s registered dealers to access the panels of other dealers, and by extension, their orders, customer details, etc.

The final step of the attack was to access Honda’s admin panel, which is the central control point for the firm’s e-commerce platform. The researcher accessed it by modifying an HTTP response to make it appear like he was an admin, giving him unlimited access to the Honda Dealer Sites platform.

The above was reported to Honda on March 16, 2023, and by April 3, 2023, the Japanese firm confirmed that all problems had been fixed.

IT Services recommends that all Honda dealers review their accounts and take appropriate measures to secure their data. We also recommend that Honda establishes a bug bounty program to encourage security researchers to report vulnerabilities responsibly.