"Vulnerabilities in Honda eCommerce Platform Exposed Customer, Dealer Data"
A researcher named Eaton Zveare has recently disclosed the details of serious vulnerabilities discovered in a Honda ecommerce platform used for equipment sales. Exploitation of the flaws could have allowed an attacker to gain access to customer and dealer information. Zveare notified Honda about his findings in mid-March. The vendor immediately took steps to address the issues and thanked the white hat hacker for his work but did not reward him as it does not have a bug bounty program. Honda said it did not find any evidence of malicious exploitation. While Honda is best known for its cars, the ecommerce platform analyzed by Zveare is designed for the sales of Honda power equipment (generators, pumps, lawnmowers), boat engines, and accessories. The researcher noted that the platform powers Honda Dealer Sites, a service that dealers can use to create websites where they sell Honda products. Dealers need to create an account and are then provided with all the tools they need to create a website, promote it, and handle product orders. Zveare discovered a password reset API vulnerability in an admin dashboard that allowed him to reset the password of a test account set up by Honda. While that only gave him access to the test account, he discovered an insecure direct object references (IDOR) vulnerability that gave him access to every dealer’s data simply by changing the value of an ID in the admin panel’s URL. From the dealer admin dashboard, he was also able to elevate privileges to the administrator of the entire platform using a specially crafted request. Zveare noted that this administration panel provided an overview of the dealer network, including the amount of money earned in subscription fees. Zveare said he had gained access to more than 21,000 customer orders ranging from 2016 to 2023, including name, address, phone number, and information on the ordered items. The vulnerabilities also exposed 1,500 dealer sites that could have been modified by the attacker. Zveare also found more than 3,500 dealer accounts for which he could have changed the password, roughly 1,000 dealer email addresses, and 11,000 customer email addresses. He believes it may have also been possible to obtain the private keys provided by some dealers for payment services such as PayPal, Stripe, and Authorize[.]net.
SecurityWeek reports: "Vulnerabilities in Honda eCommerce Platform Exposed Customer, Dealer Data"