Honda customer data could have been accessed by anyone
A researcher finds a major flaw in Honda’s e-commerce platform
When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.
If you ever bought a Honda lawn mower, then your personal information could have been leaked to malicious third parties.
This is according to a cybersecurity researcher who found a fatal flaw in Honda’s e-commerce platform and subsequently abused it to gain access to a lot of sensitive customer data.
As reported by BleepingComputer, Honda’s automotive and other divisions were not affected; only the platform for lawn & garden hardware was found to be flawed.
Stealing data and money
The researcher - the same one that recently found unsecured databases belonging to Toyota - said a password reset API allowed him to reset the password of valuable accounts, and use them to access admin-level information in a Honda reseller subdomain.
The only thing he needed was a valid email address, and he found one for a test account, in aYouTubeexplainer video.
Mercedes-Benz USA accidentally leaked customer data>Millions of Toyota drivers have had data exposed - here’s what you need to know>Here’s our rundown of the best endpoint protection software right now
But the test account doesn’t have all the necessary data - he would still need access to an actual account. That proved to be very easy, and he managed to pull it off without alerting anyone. As the user IDs on the platform are assigned sequentially, all he had to do is increment the user ID by one until there weren’t any other results and voila.
“Just by incrementing that ID I could gain access to every dealer’s data. The underlying JavaScript code takes that ID and uses it in API calls to fetch data and display it on the page. Thankfully, this discovery rendered the need to reset anymore passwords moot.” said the researcher Eaton Zveare.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Finally, after modifying an HTTP response to make it seem as if he was an administrator, he gained access to Honda’s admin panel, which in turn provided him with unlimited access tosensitive datacontained within.
The data Zveare was able to access includes:
Honda fixed the flaw in early April, the researcher concluded.
Via:BleepingComputer
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.
Dangerous Android banking malware looks to trick victims with fake money transfers
Sophos Firewall hack on government network used an all-new custom malware
This new Microsoft Teams update might finally make it easier to find the people you’re looking for
