Security News > 2023 > June > Honda API flaws exposed customer data, dealer panels, internal docs
Honda's e-commerce platform for power equipment, marine, lawn & garden, was vulnerable to unauthorized access by anyone due to API flaws that allow password reset for any account.
For Honda, Eaton Works exploited a password reset API to reset the password of valuable accounts and then enjoy unrestricted admin-level data access on the firm's network.
"Broken/missing access controls made it possible to access all data on the platform, even when logged in as a test account," explains the researcher.
This made it possible to access the data panels of all Honda dealers arbitrarily by incrementing the user ID by one until there weren't any other results.
It is worth noting that the above flaw could have been exploited by Honda's registered dealers to access the panels of other dealers, and by extension, their orders, customer details, etc.
The researcher accessed it by modifying an HTTP response to make it appear like he was an admin, giving him unlimited access to the Honda Dealer Sites platform.