Honda E-Commerce Hack: Password Reset Exposes Data

Honda, one of the world's leading automobile manufacturers, recently had a serious security breach revealed by Eaton Zveare, a cybersecurity researcher. Multiple vulnerabilities in Honda's e-commerce platform were exposed including sensitive customer and dealer data, leaving them at risk of potential exploitation. In addition to this data Zveare also gained access to internal financial reports. 

The report released on Eaton Works revealed the risk, however he does state how the hack “did not impact Honda’s automobile business. Only the power equipment / marine / lawn & garden business. Honda vehicle owners should not be concerned – only those who purchased other Honda products online.”

Honda Breach Possible Through a Password Reset Mechanism

The vulnerabilities include incorrectly configured or missing access controls, making it possible to access all data on the platform. The breach was possible through a password reset mechanism on one of Honda's sites, Power Equipment Tech Express (PETE), to reset the password associated with any account and obtain full admin-level access.

Due to the fact that the API allows any user to send a password reset request simply by knowing the username or email address, without having to enter a password tied to that account, attackers could have leveraged this vulnerability to reset other users' passwords.

The data Zveare was able to access included 21,393 customer orders across all dealers. This includes the customer’s name, address, phone number, and items ordered between August 2016 to March 2023.

According to his report, a full list of what was available to Zveare included:

• 21,393 customer orders across all dealers from August 2016 to March 2023 – this includes customer name, address, phone number, and items ordered.
• 1,570 dealer websites (1,091 of those are active). It was possible to modify any of these sites.
• 3,588 dealer users/accounts (includes first & last name, email address). It was possible to change the password of any of these users.
• 1,090 dealer emails (includes first & last name).
• 11,034 customer emails (includes first & last name).
• Potentially: Stripe, PayPal, and Authorize.net private keys for dealers who provided them.
• Internal financial reports.

Potential Dangers of this Type of Security Breach 

The data available to Zveare could have been used for launching phishing or social engineering attacks, or sold on hacker forums and dark web markets. In addition having access to the dealer sites, attackers could have planted credit card skimmers or other malicious JavaScript snippets.

While this vulnerability is not present on the e-commerce subdomains' login portal, a subdomain switch through PETE still allows anyone to access internal dealership data.
Honda made a statement to Zveare saying “Thank you again for letting us know about the observed issues with the Power Equipment & Marine sites. As you know, Honda quickly isolated access to the sites, and we subsequently updated the sites’ security measures. All of the sites have now returned to service. At this time, Honda is not aware of any use of this vulnerability to access sensitive consumer or dealer information stored on the sites or of any malicious activity.

We really appreciate receiving your notice about the potential vulnerabilities, which allowed us to take quick action to resolve the issues.“

How To Prevent This Type of Security Breach

Zveare concludes his report by offering key takeaways to help improve cybersecurity, which includes:

• Implement password resets correctly. When resetting a password, the most common method is to send an email to the user containing a URL + token they can go to in order to proceed with the reset (more information). Also ensure you don’t accidentally introduce a backdoor to this process, like an insecure admin API to reset a user’s password.
• Implement proper access controls. This was textbook example of OWASP A01:2021 – Broken Access Control. Every token issued by the authentication service could be used to access any API endpoint without restriction, provided you knew where to look / how to query the APIs. You could also access another dealer’s dashboard just by changing the ID in the URL. Make sure all access/login tokens are properly scoped and don’t provide users with access to data they don’t need.
• When making a single-page-application in React or Angular, be careful! As you build the application, remember your visitors’ browsers will see all your code, so be mindful what you include in the code. Code comments should not be presumed safe either!

Earlier this year, Zveare reported finding a vulnerability in a Toyota CRM platform that allowed unauthorized access to the personal information of customers in Mexico.

You can read the full report of his Honda E-Commerce Hack here, which provides in depth analysis of how the attack was possible, again helping other cybersecurity professionals be more aware of how to protect their valuable data and brand reputation.