Critical vulnerabilities in Honda's e-commerce platform for selling equipment

Honda, a well-known automaker, has seen a number of serious vulnerabilities come to light on its e-commerce platform dedicated to the sale of equipment, such as generators, pumps, lawn mowers and boat engines. The discovery was made by an American researcher, Eaton Zveare, who at the beginning of the year ascertained the security flaws that would have allowed an attacker to access sensitive customer and retailer information. The vulnerabilities were reported to Honda by Zveare, which informed the company that it found a vulnerable password reset API in an administrative dashboard and an insecure direct object (IDOR) vulnerability that gave the attacker access to each reseller. Exploiting a further vulnerability, the researcher was able to obtain administrator privileges of the entire platform, reserved for Honda employees.

The exposed data

Among the data to which the researcher had access there are more than 21,000 customer orders, from 2016 to 2023, including name, address, telephone number and information on the products purchased. The vulnerabilities exposed by the researcher also allowed access to more than 1500 reseller websites, which could easily have been modified by the attacker. Zveare revealed that it also discovered over 3,500 reseller accounts, for which it could have changed the password, as well as approximately 1,000 reseller email addresses and 11,000 customer email addresses. Access to the platform would have allowed the attacker to develop highly targeted phishing campaigns, leveraging the personal information acquired. The researcher also highlighted the potential danger posed by accessing retailer websites, noting that it would have been easy for the attacker to insert malicious code such as cryptominers and credit card skimmers. This could have paved the way for extremely malicious attacks that could easily compromise the entire system. Even the most attentive resellers would not have been able to easily detect such changes, and many times these interventions could be interpreted as hacking by the site and therefore could proceed to change their account password.

Interventions

Honda immediately informed its dealers of the incident, took the necessary steps to correct the problems and thanked the researcher, but declined to reward him as it did not have a bug bounty program. Honda also said it hadn't detected any signs of malicious exploitation.

Conclusions

The incident highlights how the security of e-commerce platforms is crucial and how it is necessary to focus on raising awareness among retailers and customers regarding the security of their online sales sites. The news could imply the importance of adopting security measures to preserve the privacy of the data of the users of these sites. This can go through the implementation of solid security policies, the use of encryption tools, two-factor authentication, proper management of the life cycle of user accounts, awareness and training of employees regarding security information technology, the periodic verification of the security of the platforms and, where possible, the activation of bug bounty programs. In a reality like the current one, increasingly interconnected, cases of IT security vulnerabilities are constantly increasing. Companies that manage ecommerce sites, such as Honda, must maintain high standards of IT security to maintain the trust of their users. Only in this way can risks be reduced and user data protected. In any case, the continuous evolution of technology requires constant updating of security policies and the adoption of new strategies to face the challenges of the future. Therefore, IT security becomes an absolute priority and a fundamental point of companies' business programs.