Earlier this year, a security researcher by the name of Eaton Zveare discovered significant vulnerabilities in the e-commerce platform used by Honda to power its lawn and garden products, power equipment, and marine offerings. These vulnerabilities made it possible for anyone to reset their password for any account on the platform and to access the site without proper authorization. Zveare discovered the flaws and informed Honda back in March of this year. The company acknowledged the issues right away, but did not compensate Zveare, as it lacks any kind of bug bounty program.
Despite the lack of malicious intention behind Zveare’s discovery, the vulnerabilities he found could have potentially resulted in significant damage to Honda and its customers. Through the password reset API flaw in the admin dashboard, Zveare found that he could change the password for a Honda test account. From there, he gained complete administrative access to the site, including all customer orders from August 2016 to March 2023, dealer websites (with the ability to modify them), dealer emails, customer emails, and potential access to PayPal, Stripe, and Authorize.net private keys, as well as internal financial reports.
Zveare also discovered that the dealer sites were assigned numeric IDs that were sequential, meaning he could just add +1 to the current ID to access the next record. This allowed him to access the dashboard of another dealer by altering the ID. He then altered an HTTP response to appear as though he was an admin, granting him unrestricted access to the Honda Dealer Sites platform.
This breach poses a threat to both Honda and its users, given the potential for malicious actors to engage in highly targeted phishing campaigns with access to more than 21,000 customer orders. Additionally, more than 1000 active websites could have been secretly changed to include dangerous malware like credit card skimmers and crypto miners.
Many experts suggest this incident underscores the need for companies to have a bug bounty program in place to incentivize white-hat hackers to report vulnerabilities. Without such a program in place, companies may struggle to attract the attention of security researchers or find themselves vulnerable to the possibility that a hacker with malevolent intentions discovers the vulnerability before they do.
Honda is not alone in facing security breaches, as many types of companies face the same vulnerabilities in their e-commerce systems. This incident highlights the need for comprehensive security measures to be implemented to ensure that users’ private information remains secure. In addition to using bug bounty programs and getting rid of vulnerable old code, companies should also consider investing in AI-based cybersecurity that can identify and intercept advanced email threats. With the increase in work-from-home arrangements and reliance on digital systems, such measures are becoming more crucial than ever before.