Honda Group’s E-commerce Website Vulnerability Exposes Customer Information

Honda Group, a Japanese multinational corporation renowned for producing automobiles, robots, power equipment, and more, recently experienced a vulnerability in its e-commerce website that resulted in the exposure of customer information, causing concerns and apprehension among various parties.

Overview of Honda Group’s E-commerce Website

Honda Group’s e-commerce website serves as a platform for purchasing automotive parts, accessories, services, and other related products. However, a recent vulnerability was discovered in this website, leading to the unauthorized access and compromise of a significant amount of customer information by external actors.

Security Vulnerability in Honda Group’s E-commerce Website

Researchers identified a vulnerability in the password reset API of Honda’s e-commerce website, potentially allowing hackers to access sensitive information such as customer orders, dealer and customer email addresses, and financial data.

Discovery and Exploitation of the Vulnerability

The vulnerability was discovered by researcher Eaton Zveare on three e-commerce websites associated with Honda Group’s sales of marine and power equipment. The flaw resided in the password reset API, enabling the researcher to obtain administrative credentials for the Honda websites and view data related to customers and dealers. By leveraging the password reset functionality and a direct object reference vulnerability, the researcher gained access to all dealer data, including customer emails, website information, financial reports, and more, without compromising any user accounts.

Impact of the Data Breach

Exploiting these vulnerabilities, the researcher accessed around 21,000 customer order records from August 2016 to March of this year. The compromised data includes customer names, addresses, phone numbers, ordered products, over 10,000 customer emails, nearly 1,600 dealer websites, around 3,600 dealer accounts, over 1,000 dealer email addresses, as well as potentially involved electronic payment services and internal financial reports.

Recommended Mitigation Measures

Following the report of the vulnerability, Honda Group announced that the issue has been addressed and assured that Honda vehicles remain unaffected. Researchers recommend that website administrators exercise caution and diligence in implementing password reset functionalities to avoid exposing insecure administrative APIs. They also advise implementing proper access controls, being mindful that tokens issued by authentication services can be used to access API endpoints, and avoiding the use of sequential URL logic. For single-page web applications developed with React or Angular, where users can view the code, it is crucial to handle information contained within the code carefully. Lastly, it serves as a reminder that just last week, Toyota also experienced cloud system configuration issues resulting in the exposure of vehicle and maintenance information for 260,000 Japanese owners and overseas dealers, causing undisclosed impacts for Asian car owners.