Data in Honda’s power equipment e-commerce site exposed by API vulnerabilities

BleepingComputer reports that Honda had its e-commerce platform for power equipment impacted by password reset API security vulnerabilities, which could be leveraged to access customer information and other documents. Information exposed through the exploitation of the flaws, identified by security researcher Eaton Zveare in Honda's Power Equipment Tech Express site, included 21,393 customer orders between August 2016 and March 2023, 11,034 customer emails, 3,588 dealer users/accounts, 1,570 dealer websites, 1,090 dealer emails, and internal financial reports. Dealers' Authorize.net, PayPal, and Stripe private keys could also have been accessed. All Honda dealers had their data panels arbitrarily accessed by Zveare by incrementing user IDs. "Just by incrementing that ID I could gain access to every dealer's data. The underlying JavaScript code takes that ID and uses it in API calls to fetch data and display it on the page. Thankfully, this discovery rendered the need to reset anymore passwords moot," added Zveare, who also discovered a similar flaw in Toyota's supplier portal. Such vulnerabilities have already been addressed by Honda.