Subj : Honda customer data could have been accessed by anyone To : All From : TechnologyDaily Date : Thu Jun 08 2023 13:45:03 Honda customer data could have been accessed by anyone Date: Thu, 08 Jun 2023 12:30:00 +0000 Description: A researcher finds a major flaw in Honda's e-commerce platform and accesses sensitive customer data FULL STORY ====================================================================== If you ever bought a Honda lawn mower, then your personal information could have been leaked to malicious third parties. This is according to a cybersecurity researcher who found a fatal flaw in Hondas e-commerce platform and subsequently abused it to gain access to a lot of sensitive customer data. As reported by BleepingComputer, Honda's automotive and other divisions were not affected; only the platform for lawn & garden hardware was found to be flawed. Stealing data and money The researcher - the same one that recently found unsecured databases belonging to Toyota - said a password reset API allowed him to reset the password of valuable accounts, and use them to access admin-level information in a Honda reseller subdomain. The only thing he needed was a valid email address, and he found one for a test account, in a YouTube explainer video. Read more > Mercedes-Benz USA accidentally leaked customer data > Millions of Toyota drivers have had data exposed - here's what you need to know > Here's our rundown of the best endpoint protection software right now But the test account doesnt have all the necessary data - he would still need access to an actual account. That proved to be very easy, and he managed to pull it off without alerting anyone. As the user IDs on the platform are assigned sequentially, all he had to do is increment the user ID by one until there werent any other results and voila. "Just by incrementing that ID I could gain access to every dealer's data. The underlying JavaScript code takes that ID and uses it in API calls to fetch data and display it on the page. Thankfully, this discovery rendered the need to reset anymore passwords moot." said the researcher Eaton Zveare. Finally, after modifying an HTTP response to make it seem as if he was an administrator, he gained access to Hondas admin panel, which in turn provided him with unlimited access to sensitive data contained within. The data Zveare was able to access includes: 21,393 customer orders from all dealers, dated August 2016 to March 2023 (customer names, addresses, phone numbers, and items ordered) 1,570 dealer websites (roughly two-thirds are still active) 3,588 dealer users/accounts (includes full names and email addresses), and the ability to reset the passwords for each one 1,090 dealer emails (includes full names) 11,034 customer emails (includes full names) Honda fixed the flaw in early April, the researcher concluded. These are the best firewalls right now Via: BleepingComputer ====================================================================== Link to news story: https://www.techradar.com/news/honda-customer-data-could-have-been-accessed-by -anyone --- Mystic BBS v1.12 A47 (Linux/64) * Origin: tqwNet Technology News (1337:1/100) .