Honda fixes bug spotted by researcher in platform for US equipment dealers

Honda said it has fixed a vulnerability that could have allowed anyone to take over accounts on a platform used by Honda Power Equipment and Honda Marine dealers in the United States.

This week, cybersecurity expert Eaton Zveare explained how he was able to compromise the platform by exploiting a flaw that “easily” allowed password resets of any account.

The tool is for U.S. dealers that sell Honda products like power generators, lawnmowers and outboard motors. The issue did not appear to impact Honda’s automobile business in any way, but Zveare said those who purchased other Honda products online may have been at risk.

Honda confirmed the vulnerability with Zveare in April and told Recorded Future News that once it was made aware of the issue, it “quickly isolated access to the sites, subsequently updated the sites’ security measures” and eventually returned them to service.

“At this time, Honda is not aware of any use of this vulnerability to access sensitive consumer or dealer information stored on the sites or of any malicious activity,” the spokesperson said.

“While we sincerely regret any apprehension this situation may cause for our customers or dealers, we appreciate receiving notice from the researcher, which allowed us to take quick action to resolve the issue.”

Zveare said the vulnerability allowed him to access all of the data on the platform, even when he logged in from a test account. With his access, he was able to see 21,393 customer orders across all dealers from August 2016 to March 2023 – including customer names, addresses, phone numbers and items ordered.

He was also able to access information from 1,570 dealer websites and modify any of the sites. The vulnerability gave him the ability to see all 3,588 dealer accounts and change the passwords for any user. He saw more than 1,000 dealer emails and over 11,000 customer emails.

Zveare noted that he may have been able to access the Stripe, PayPal, and Authorize.net private keys of the dealers who put them on the platform.

He was inspired to test the platform after he made waves in February for gaining full control of a Toyota web app called the Global Supplier Preparation Information Management System (GSPIMS), in October 2022. That platform is used to coordinate projects, parts, surveys, purchases and more.

“After successfully breaching Toyota’s systems a few times late last year, I wanted to try my hand with a fresh automaker target. Why Honda? A good friend of mine’s family loves Honda vehicles, so I thought if I found an interesting vulnerability, it would make for a fun conversation topic,” he said.

Honda has had the Honda Dealer Sites eCommerce platform since 2016 and allows dealers to easily create a website or storefront to sell Honda products.

Password reset exploit

Zveare found a way into the site through another connected platform called Power Equipment Tech Express (PETE). He discovered that abusing the password reset mechanism on PETE would also work for accounts on the main platform.

He was worried about locking a real user out of their account, so he used a sample account used in a YouTube webinar for Honda dealers. From there, all he needed was an email address to get in.

“The password reset vulnerability was significant and now I knew that if I found a real dealer email, I could easily gain access to their account. However, that would potentially be disruptive to their business, so I avoided doing that and instead tried to find another less disruptive exploit,” he explained.

He then got access to large amounts of data by figuring out that all the accounts had sequential numbers assigned to them. Looking at a different dealer’s account was simply a matter of changing the URL by one digit.

Zveare said on the most basic level, a hacker could have easily leaked all of the customer data and dealer information. But more sophisticated, financially motivated hackers could have exploited their access to launch targeted phishing campaigns at customers in an effort to steal more valuable information or install malware.

He noted that after he reported the issue to Honda in March, they took the entire network of websites down and confirmed to him that they completed their investigation on April 3.

Honda has had to deal with several vulnerabilities in the past year, including several allowing hackers to unlock Civics and other models. Other researchers have discovered ways for hackers to remotely take over Honda vehicles as well.