Honda’s Power Equipment eCommerce Platform Compromised Through Vulnerable API

• Honda’s power equipment, marine, and lawn & garden dealer eCommerce platform was compromised by a hacker, who exploited a vulnerable password reset API. The hacker managed to gain access to all data on the platform, including customer orders, dealer websites, dealer user accounts, and internal financial reports, potentially affecting thousands of customers.
• The vulnerability exploited was found in the Power Equipment Tech Express (PETE) site, which is part of the same eCommerce network as Honda Dealer Sites. The hacker was able to reset account passwords by only knowing the username/email. This issue did not impact Honda’s automobile business, but only the power equipment, marine, and lawn & garden business​.

In a significant revelation, Honda’s power equipment, marine, and lawn & garden dealer eCommerce platform has been compromised due to a vulnerable password reset API. The hacker managed to access all data on the platform, including customer orders, dealer websites, dealer users/accounts, dealer emails, and customer emails. The hacker also potentially gained access to the Stripe, PayPal, and Authorize.net private keys of dealers who provided them, as well as internal financial reports.

Interestingly, the hacker chose Honda as a target because a friend’s family loved Honda vehicles, mirroring his previous choice of Toyota, which was chosen due to his own family’s affinity for the brand. The hack exploited a platform Honda has maintained since 2016, known as Honda Dealer Sites, which allows dealers to create a website/storefront to sell Honda products. The platform features a website builder and takes care of product ordering and fulfillment. It requires a Honda dealer number to establish an account.

The Honda eCommerce platform allows customers to view and order products on these dealer sites, with the option for shipping or in-store pickup. Dealers have an admin dashboard that they can log into, create and edit their website, and view customers/orders.

The hacker initially tried to find a vulnerability through the admin dashboard but was unsuccessful. Upon further exploration, he stumbled upon a different site named PETE (Power Equipment Tech Express), which was part of the same eCommerce site network. The PETE site had an API that allowed anyone to reset an account’s password just by knowing the username/email, without having to provide the current password or a token from a password reset email.

The hacker found a valid email from a YouTube video published a month prior, which revealed a login email address for a test/sample account. Using this email, he was able to reset the password for the test account without causing a disruption to real dealers. Once he logged in, he only saw sample data created for the YouTube video. The next step was to escalate access to data in other accounts or achieve admin access.

While the password reset vulnerability was significant, the hacker avoided using it with a real dealer email to prevent business disruption. Instead, he discovered a simple exploit where the platform assigned numeric IDs to everything, from orders to sites. By merely changing the ID, he could access another dealer’s dashboard.

Honda has been notified of the security breach and has since taken down the hondadealersites.com website as part of the vulnerability remediation. It is crucial to note that this hack did not impact Honda’s automobile business and only pertains to their power equipment, marine, and lawn & garden business. Honda vehicle owners should not be concerned – only those who purchased other Honda products online.