February 29, 2024

Enterprise JM

Do the Business

Password Reset Hack Uncovered in Honda’s E-Commerce Platform, Dealers Information at Danger

Jun 12, 2023Ravie LakshmananInfo Safety / Hacking

Password Reset Hack

Security vulnerabilities uncovered in Honda’s e-commerce system could have been exploited to attain unrestricted entry to delicate seller info.

“Broken/missing entry controls manufactured it possible to accessibility all details on the system, even when logged in as a test account,” security researcher Eaton Zveare mentioned in a report posted previous 7 days.

The platform is intended for the sale of power equipment, marine, lawn and back garden firms. It does not effect the Japanese company’s automobile division.

The hack, in a nutshell, exploits a password reset system on one particular of Honda’s websites, Electricity Machines Tech Express (PETE), to reset the password involved with any account and get complete admin-stage entry.


This is built probable because of to the actuality that the API enables any user to deliver a password reset request basically by just recognizing the username or electronic mail deal with and devoid of obtaining to enter a password tied to that account.

Armed with this ability, a malicious actor could signal in and takeover another account, and subsequently get gain of the sequential mother nature of the dealer internet site URLs (i.e., “admin.pedealer.honda[.]com/dealersite//dashboard) to get unauthorized accessibility to a various dealer’s admin dashboard.

Honda E-commerce

“Just by incrementing that ID, I could obtain accessibility to each and every dealers’ data,” Zveare stated. “The underlying JavaScript code can take that ID and works by using it in API calls to fetch knowledge and show it on the page. Thankfully, this discovery rendered the want to reset any more passwords moot.”

To make matters even worse, the layout flaw could have been made use of to entry a dealer’s buyers, edit their website and goods, and worse, elevate privileges to the administrator of the entire system – a aspect limited to Honda staff – by means of a specifically crafted request to see aspects of the dealer community.


🔐 Mastering API Safety: Knowledge Your Correct Attack Area

Explore the untapped vulnerabilities in your API ecosystem and acquire proactive steps in the direction of ironclad stability. Be a part of our insightful webinar!

Join the Session

In all, the weaknesses authorized for illegitimate obtain to 21,393 buyer orders across all dealers from August 2016 to March 2023 1,570 supplier internet sites (of which 1,091 are energetic), 3,588 dealer accounts, 1,090 supplier e-mails, and 11,034 buyer email messages.

Risk actors could also leverage accessibility to these supplier internet sites by planting skimmer or cryptocurrency mining code, thereby making it possible for them to experience illicit revenue.

The vulnerabilities, subsequent responsible disclosure on March 16, 2023, have been dealt with by Honda as of April 3, 2023.

The disclosure will come months soon after Zveare in depth safety problems in Toyota’s World-wide Provider Preparing Facts Management Program (GSPIMS) and C360 CRM that could have been leveraged to access a wealth of company and consumer knowledge.

Located this report intriguing? Adhere to us on Twitter and LinkedIn to examine a lot more special written content we publish.