Honda’s e-commerce platform, catering to the power equipment, marine, lawn & garden sectors, recently found itself under scrutiny due to API vulnerabilities. These flaws allowed anyone to reset passwords for any account, leading to unauthorized access.
It’s important to note that the issues didn’t extend to Honda’s automobiles or motorcycles – only the power equipment division was affected.
The cybersecurity researcher Eaton Zveare, who had previously identified similar vulnerabilities in Toyota’s supplier portal, uncovered this loophole in Honda’s system.
In this case, Zveare exploited a password reset API, enabling him to reset valuable account passwords. This action gave him unrestricted admin-level access to the company’s network data.
As Zveare explains, the platform’s inadequate access controls made it possible to access all data, even when logged in using a test account.
The potential data exposure included:
- 21,393 customer orders (2016 – 2023)
- 1,570 dealer websites, 1,091 of which are active
- 3,588 dealer users/accounts
- 1,090 dealer emails
- 11,034 customer emails
- Possible exposure of Stripe, PayPal, and Authorize.net private keys
- Internal financial reports
This accessible information could be leveraged for phishing campaigns, social engineering attacks, or sold on hacker forums and dark web markets.
Zveare detailed the API flaw, explaining that it resided in Honda’s e-commerce platform. The platform assigns “powerdealer.honda.com” subdomains to its registered dealers.
Zveare discovered that the password reset API on one of Honda’s sites, Power Equipment Tech Express (PETE), processed reset requests without needing a token or previous password – a valid email was sufficient.
Despite the absence of this vulnerability on the e-commerce subdomains login portal, the updated credentials via the PETE site still functioned on them. This meant anyone could gain access to internal dealership data through this simple exploit.
Next, Zveare focused on accessing real dealer data without disrupting operations or resetting numerous passwords. The solution was to take advantage of another vulnerability: the platform’s sequential assignment of user IDs and its lack of access protections. By incrementing the user ID, the researcher could access all dealer data.
Zveare also managed to access Honda’s admin panel – the nerve center of the e-commerce platform – by modifying an HTTP response to simulate admin status.
After reporting the flaws to Honda on March 16, 2023, the company confirmed the issues were resolved by April 3, 2023. Despite Zveare’s responsible reporting, Honda, which lacks a bug bounty program, offered no reward – mirroring the researcher’s experience with Toyota.
