A researcher named Eaton Zveare has uncovered serious vulnerabilities in Honda’s ecommerce platform used for equipment sales, which could have allowed attackers to gain access to sensitive customer and dealer information.
Zveare discovered a password reset API flaw and an insecure direct object references (IDOR) vulnerability, granting him access to a test account and every dealer’s data respectively.
By exploiting these vulnerabilities, Zveare was able to access over 21,000 customer orders containing personal details such as names, addresses, and phone numbers. Additionally, 1,500 dealer sites were exposed, leaving them vulnerable to potential modification by attackers.
Although Zveare promptly informed Honda about the issues in mid-March, the company did not reward him as they lack a bug bounty program. However, Honda took immediate steps to address the vulnerabilities and stated that no evidence of malicious exploitation was found.
The ecommerce platform analyzed by Zveare is primarily designed for the sales of Honda power equipment and boat engines, providing dealers with tools to create websites, promote products, and handle orders. The researcher warned of the potential consequences of the data exposure, including the risk of targeted phishing campaigns and the covert insertion of malicious code on dealer sites.
Earlier this year, Zveare also discovered a vulnerability in a Toyota customer relationship management (CRM) platform, which could have been exploited to access the personal information of customers in Mexico.
These incidents highlight the importance of robust cybersecurity measures to protect sensitive data and emphasize the need for companies to establish bug bounty programs to encourage responsible disclosure of vulnerabilities.