Cyber attacks on e-commerce applications are a common trend in 2023 as e-commerce businesses become more omnichannel, they build and deploy increasingly more API interfaces, with threat actors constantly exploring more ways to exploit vulnerabilities. This is why regular testing and ongoing monitoring are necessary to fully protect web applications, identifying weaknesses so they can be mitigated quickly.
In this article, we will discuss the recent Honda e-commerce platform attack, how it happened, and its impact on the business and its clients. In addition, to the importance of application security testing, we will also discuss the different areas of vulnerability testing and its various phases.
Finally, we will provide details on how a long-term preventative solution such as PTaaS can protect e-commerce businesses and the differences between continuous testing (PTaaS) and standard pen testing.
Table of Contents
The 2023 Honda E-commerce Platform Attack
Honda’s power equipment, lawn, garden, and marine products commerce platform contained an API flaw that enabled anyone to request a password reset for any account.
The vulnerability was found by researcher Eaton Zveare who recently discovered a major security flaw within Toyota’s supplier portal. By resetting the password of higher-level accounts, a threat actor was provided with admin-level data access on the firm’s network without restriction. If discovered by a cybercriminal, this would have resulted in a large-scale data breach with huge ramifications.
Zverare said: “Broken/missing access controls made it possible to access all data on the platform, even when logged in as a test account.”
This allowed the tester to access the following information:
- Almost 24,000 customer orders across all Honda dealerships from August of 2016 to March of 2023; this included the customer’s name, address, and phone number.
- 1,091 active dealer websites with the ability to modify these sites.
- 3,588 dealer users/accounts – including personal details.
- 11,034 customer emails – including first and last names.
- 1,090 dealer emails.
- Internal financial reports for Honda.
With the above information, cybercriminals could perform a range of activities, from phishing campaigns to social engineering attacks and selling information illegally on the dark web. With this level of access, malware could also be installed on dealer websites to attempt to skim credit cards.
How Was The Vulnerability Found
On the Honda e-commerce platform, “powerdealer.honda.com” subdomains are assigned to registered dealers. Zveare discovered that the password reset API on one of Honda’s sites, Power Equipment Tech Express (PETE), was processing reset requests without requiring the previous password.
A valid email address was found via a YouTube video that provided a demo of the dealer dashboard using a test account. Once reset, these login credentials could be used on any Honda e-commerce subdomain login portal, providing access to internal dealership data.
Next, the tester needed to access the accounts of real dealers without the risk of detection and without needing to reset the passwords of hundreds of accounts. To do this, Zveare located a JavaScript flaw on the platform, the sequential assignment of user IDs, and a lack of access security. As such, live accounts could be found by incrementing the user ID by one until there weren’t any other results.
Finally, the platform’s admin panel could be fully accessed by modifying an HTTP response to make it appear as if the exploited account was an admin.
On April 3, 2023, Honda reported that all the bugs had been fixed after the findings were initially reported to them on March 16, 2023. Eaton Zveare received no financial reward for his work as the firm does not have a bug bounty program.
The Importance of E-commerce Application Security Testing
E-commerce application security testing is essential to protect the personal and financial information of everyone linked to the application, including customers, dealers, and vendors. The frequency of cyberattacks on e-commerce applications is high, meaning adequate protection is needed to prevent data breaches that can severely damage the reputation of a business and cause financial loss.
Regulatory compliance in the e-commerce sector is also stringent, with data protection becoming business-critical to avoid financial penalties. An application requires more than just the latest security features, every component needs to be tested and best practices followed to develop a robust cybersecurity strategy.
Cyber Threats For E-commerce Applications
- Phishing – Phishing is a type of social engineering attack that aims to trick victims into clicking a link to a malicious website or application. This is done by sending an email or text that is made to look as if it has been sent from a trusted source, such as a bank or work colleague. Once on the malicious site, users may enter data such as passwords or account numbers that will be recorded.
- Malware/ Ransomware – Once infected with malware, a range of activities can take place on a system, such as locking people out of their accounts. Cybercriminals then ask for payment to re-grant access to accounts and systems – this is known as ransomware. However, there is a variety of malware that perform different actions.
- E-Skimming – E-skimming steals credit card details and personal data from payment card processing pages on e-commerce websites. This is achieved via phishing attacks, brute force attacks, XSS, or perhaps from a third-party website being compromised.
- Cross-Site Scripting (XSS) – XSS injects malicious code into a webpage to target web users. This code, typically Javascript, can record user input or monitor page activity to gather sensitive information.
- SQL Injection – If an e-commerce application stores data in an SQL database, then an SQL injection attack can input a malicious query that allows unauthorized access to the database’s contents if it is not properly protected. As well as being able to view data, it may also be possible to manipulate it in some cases.
The Different Areas of Vulnerability Testing
There are typically 8 critical areas of vulnerability testing, and their methodology can then be broken down into 6 phases.
8 Areas of Vulnerability Testing
- Web Application-Based Vulnerability Assessment
- API-Based Vulnerability Assessment
- Network-Based Vulnerability Assessment
- Host-Based Vulnerability Assessment
- Physical Vulnerability Assessment
- Wireless Network Vulnerability Assessment
- Cloud-Based Vulnerability Assessment
- Social Engineering Vulnerability Assessment
The 6 Phases of Vulnerability Assessment Methodology
- Determine critical and high-risk assets
- Perform a vulnerability assessment
- Conduct vulnerability analysis and risk assessment
- Remediate any vulnerability – E.G., applying security patches or fixing configuration issues.
- Assess how the system can be improved for optimal security.
- Report the results of the assessment and the actions taken.
Pentesting As A Service (PTaaS)
Penetration Testing as a Service (PTaaS) is a delivery platform for regular and cost-effective penetration testing while also boosting collaboration between testing providers and their clients. This allows businesses and organizations to detect vulnerabilities more frequently.
PTaaS vs. Traditional Pen Testing
Traditional penetration testing is done on a contractual basis and often takes a significant amount of time. This is why this sort of testing can only be performed once or twice a year. PTaaS, on the other hand, enables continuous testing, even as often as every time code is changed. PTaaS performs ongoing, real-time assessments using a combination of automated scanning tools and manual techniques. This provides a more continuous approach to security needs and fills in the gaps that occur with annual testing.
Click here to learn more about the benefits of PTaaS by requesting a live demo of the SWAT platform developed by Outpost24.
Conclusion
Cyberattacks on e-commerce websites occur frequently, and even platforms built by global businesses such as Honda have contained critical vulnerabilities that have been discovered in the last 12 months.
Security testing is required to assess the full attack surface of an e-commerce application, protecting both the business and its users from cyber attacks like phishing or e-skimming.
Penetration testing as a service is one of the best ways to protect platforms, performing regular scans to provide continuous vulnerability assessments so they can be mitigated as soon as possible.
Leave a Reply