Honda ecommerce platform vulnerability: a walkthrough


Honda, the famous Japanese automobile manufacturer, was exposed to a critical security risk due to a vulnerability in its application programming interface (API). The flaw allowed unauthorized access to the account information of thousands of dealers and customers, including their first and last names, email, shipping addresses, and payment details.

The vulnerability was discovered by security researcher "Eaton Zveare," who recently discovered a similar API security issue at another Japanese automobile manufacturer, Toyota.

Background information about the Honda dealer website

Honda has a dedicated ecommerce platform for selling power tools, marine, lawn and garden equipment. This platform is independent of its automobile and motorcycle portal.

If you have a hardware store and wish to sell Honda products, you can do it via this website. Dealers worldwide can register in the portal, create an ecommerce website using the automated build tools provided by Honda, and select the preferred payment method (e.g., PayPal, Strips, or Authorize.net). Honda handles the technical details when creating these affiliated stores and manages the customer orders and payments flow.

According to Zveare, there are 1,570 of these dealer websites, and 1,091 of them are currently active. We can use the Google search engine to find those websites easily. Each dealer website is a subdomain name of this: powerdealer.honda.com

How did the exploit work?

Each Honda dealer website has an admin dashboard: https://admin.pedealer.honda.com to manage their website and customer orders. The admin dashboard is built using Angular and is composed of one page. There’s no link to register but one link to reset your password (see Figure 1).

Honda site
Figure 1 - Honda dealer website dashboard

So far, nothing is insecure. If a dealer forgets their password, they’ll click the "Forgot Password" link and provide their email address. The website will send this information to the API, which will initiate a routine for sending an email to reset their password.

Because the researcher failed to find any exploitable route in the admin dashboard, he directed his efforts to find other vulnerable Honda dealer sites. From the admin dashboard page, we note that the page title is: Honda Dealer Website Admin. We can use Google advanced search dorks (inurl) to find all websites sharing the same page title. The researcher conducted his search and found this dealer website: PETE (Power Equipment Tech Express) (see Figure 2). After analyzing the website source code, the researcher discovered that this website is a part of the Honda eCommerce site network.

Honda Figure 2
Figure 2 - https://pete.honda.com/account/login is a part of the Honda dealer network of eCommerce websites

Analyzing the password reset mechanism in https://pete.honda.com/account/login reveals that this website had an API to reset the password embedded in its source code (see Figure 3).

Honda Figure 3
Figure 3 - API code to reset user password found on https://pete.honda.com/account/login | Source: eaton-works.com

This API was not used on the main Honda admin dashboard site. The problem with this API is that it allows users to reset their passwords without providing the old password. They only need to provide the account email to initiate the password reset routine.

The researcher found a valid dealer account email ([email protected]) on a YouTube video created by the Honda Power Equipment Dealer Sites to demonstrate how to use their platform to their potential dealers. Honda has already deleted this video from YouTube as a part of their efforts to close this vulnerability (see Figure 4).

Honda Figure Zero
Figure 4 - A YouTube video revealed an email associated with a test account | Source: eaton-works.com

Now all we need to do is set up an HTTP request to the API reset password to change the account password, which was executed successfully.

Using the newly settled password, Zveare could access the test account (the one using [email protected]). Using the same method, we can access any dealer account by knowing their email address and resetting their password, as Zveare did for the test account.

However, Zveare has found another exploit that does not require knowing the dealer's email to access their associated ecommerce website data. The researcher notices that the Honda platform assigns a sequential numerical ID to everything on dealers' websites (orders, customers, and dealer site ID) by looking at the website address bar.

All we need to do is increase the current ID by one to move to the next record (see Figure 5). The underlying JavaScript code is executed and sends the current ID to the API calls. In return, it will fetch the corresponding data and display them in the platform without resetting passwords. By doing so, all associated dealer data (customers, order details) will appear.

Honda Figure 4
Figure 5 - Exposed order details of Honda dealer "Honda East" | Source: eaton-works.com

Clicking any order in the exposed data will reveal relevant customer information, such as first and last name, email address, phone number, shipping address, and related payment information (see Figure 6).

Honda figure 5
Figure 6 - Exposed customer information | Source: eaton-works.com

In addition to revealing customers and their associated orders, the exposed information includes dealer API keys used for processing customer payments (if the dealer already provides them to the Honda platform). The supported payment methods are Stripe, PayPal, and Authorize.net. This information is viewable by sending specific API calls (see Figure 7). The researcher did not test them because Honda took the website offline after learning about the vulnerability.

Honda Figure 7
Figure 7 - The API flaws revealed payment API keys of Honda dealers | Source: eaton-works.com

It’s worth noting that accessing this information was readily available for registered Honda dealers. For instance, any Honda dealer can access other dealers' private information and view their customers and orders by changing the ID in the browser address bar to the corresponding dealer.

Accessing Honda dashboard administrative panel

To make things worse, Zveare was able to access the admin dashboard, which Honda uses to view all dealer-related information. This was achieved by changing the HTTP response and changing "isadmin" to true (see Figure 8). This access allows complete visibility of the entire Honda dealers network.

Honda Figure 8
Figure 8 - The API flaw allows access to the Honda administrative dashboard used for managing all registered dealers | Source: eaton-works.com

The possible impact of this attack

Threat actors can exploit Honda dealers’ information in various ways for financial gains, such as:

  • Selling customers' private information on the darknet to other threat actors.
  • Crafting social engineering attacks by utilizing customer information to gain their trust. For instance, impersonating a representative from a Honda dealer platform and requesting additional customer information, such as banking details or other personal information.
  • Exploiting customer information to reset passwords on other websites. For example, if a customer uses the same password to protect their Facebook or Instagram account, it could be compromised.
  • Installing malware on customer devices. Attackers might review Honda orders and send malicious emails with harmful attachments to customers, urging them to provide more information or install a supposedly legitimate product support application that is malicious.
  • Compromising dealer websites to run cryptocurrency mining operations or launch Distributed Denial of Service (DDoS) attacks against other websites.

APIs have become a crucial component in modern mobile and web applications. An API defines how different software components interact and specify the types of allowed requests, how these requests are made, and the data format used for each request. API calls handle sensitive information (customer personal and financial information), making it a top priority for development teams to ensure security.

This post discussed a recent security incident that occurred due to API vulnerabilities. Such incidents highlight the significance of securing API calls and conducting thorough testing on web applications before releasing them to production.