Honda customer data could have been accessed by anyone
If you ever bought a Honda lawn mower, then your personal information could have been leaked to malicious third parties.
This is according to a cybersecurity researcher who found a fatal flaw in Honda’s e-commerce platform and subsequently abused it to gain access to a lot of sensitive customer data.
As reported by BleepingComputer, Honda’s automotive and other divisions were not affected; only the platform for lawn & garden hardware was found to be flawed.
Stealing data and money
The researcher – the same one that recently found unsecured databases belonging to Toyota – said a password reset API allowed him to reset the password of valuable accounts, and use them to access admin-level information in a Honda reseller subdomain.
The only thing he needed was a valid email address, and he found one for a test account, in a YouTube explainer video.
But the test account doesn’t have all the necessary data – he would still need access to an actual account. That proved to be very easy, and he managed to pull it off without alerting anyone. As the user IDs on the platform are assigned sequentially, all he had to do is increment the user ID by one until there weren’t any other results and voila.
“Just by incrementing that ID I could gain access to every dealer’s data. The underlying JavaScript code takes that ID and uses it in API calls to fetch data and display it on the page. Thankfully, this discovery rendered the need to reset anymore passwords moot.” said the researcher Eaton Zveare.
Finally, after modifying an HTTP response to make it seem as if he was an administrator, he gained access to Honda’s admin panel, which in turn provided him with unlimited access to sensitive data contained within.
The data Zveare was able to access includes:
- 21,393 customer orders from all dealers, dated August 2016 to March 2023 (customer names, addresses, phone numbers, and items ordered)
- 1,570 dealer websites (roughly two-thirds are still active)
- 3,588 dealer users/accounts (includes full names and email addresses), and the ability to reset the passwords for each one
- 1,090 dealer emails (includes full names)
- 11,034 customer emails (includes full names)
Honda fixed the flaw in early April, the researcher concluded.
Via: BleepingComputer