Check out this excellent write-up from Eaton Zveare on how has white hat hacker compromised Honda’s power equipment/marine/lawn & garden dealer eCommerce platform through vulnerable APIs. It’s a great example of API5:2023 Broken Function Level Authorization (BFLA) and API3:2023 Broken Object Property Level Authorization (BOLA) on a poorly written application.

Honda’s power equipment/marine/lawn & garden dealer eCommerce platform could be compromised by exploiting a password reset API, gaining access to sensitive data, leading to full admin-level access, including customer orders, dealer websites, dealer users/accounts, dealer and customer emails, potentially private keys for payment gateways, and internal financial reports. 

Exploits: 

• Exploited Password Reset API: The hacker exploited a password reset API that allowed them to reset the password of any account without requiring the current password or a token from a password reset email.

• Broken/Missing Access Controls: Access controls were broken or missing, enabling the hacker to access all data on the platform, even when logged in as a test account.

Impact:

Note that the hack only affected Honda’s power equipment/marine/lawn & garden business, not their automobile business (Not to minimize the blast radius!)

• Customer Records: The hacker gained access to 21,393 customer orders across all dealers from August 2016 to March 2023, including customer name, address, phone number, and items ordered.
• Dealer Websites: They were able to modify any of the 1,570 dealer websites (1,091 of which are active) hosted on the platform.
• Dealer Users/Accounts: The hacker accessed 3,588 dealer users/accounts, including first and last names and email addresses. They could change the passwords of these users.
• Dealer and Customer Emails: They obtained 1,090 dealer emails and 11,034 customer emails, including first and last names.
•  Payment Gateway Keys: There were potentially Stripe, PayPal, and Authorize.net private keys for dealers who provided them.
• Internal Financial Reports: The hacker accessed internal financial reports within the platform.

Other Notes:

Despite his efforts, no reward was given for this report. As mentioned by Karn in this article, automotive companies should offer higher rewards to security researchers to encourage reporting of vulnerabilities. With data breaches becoming more numerous and larger in scale, it was only a matter of time before another breach like this occurs

Read the Article here