Cyber assaults on e-commerce purposes are a standard development in 2023 as e-commerce companies develop into extra omnichannel, they construct and deploy more and more extra API interfaces, with menace actors always exploring extra methods to take advantage of vulnerabilities. For this reason common testing and ongoing monitoring are vital to completely defend net purposes, figuring out weaknesses to allow them to be mitigated shortly.
On this article, we’ll talk about the latest Honda e-commerce platform assault, the way it occurred, and its influence on the enterprise and its purchasers. As well as, to the significance of utility security testing, we may also talk about the completely different areas of vulnerability testing and its numerous phases.
Lastly, we’ll present particulars on how a long-term preventative resolution reminiscent of PTaaS can defend e-commerce companies and the variations between steady testing (PTaaS) and normal pen testing.
The 2023 Honda E-commerce Platform Attack
Honda’s energy gear, garden, backyard, and marine merchandise commerce platform contained an API flaw that enabled anybody to request a password reset for any account.
The vulnerability was discovered by researcher Eaton Zveare who not too long ago found a serious security flaw inside Toyota’s provider portal. By resetting the password of higher-level accounts, a menace actor was supplied with admin-level knowledge entry on the agency’s community with out restriction. If found by a cybercriminal, this might have resulted in a large-scale data breach with large ramifications.
Zverare stated: “Damaged/lacking entry controls made it potential to entry all knowledge on the platform, even when logged in as a take a look at account.”
This allowed the tester to entry the next info:
- Nearly 24,000 buyer orders throughout all Honda dealerships from August of 2016 to March of 2023; this included the client’s identify, handle, and cellphone quantity.
- 1,091 energetic supplier web sites with the flexibility to change these websites.
- 3,588 supplier customers/accounts – together with private particulars.
- 11,034 buyer emails – together with first and final names.
- 1,090 supplier emails.
- Inside monetary stories for Honda.
With the above info, cybercriminals may carry out a spread of actions, from phishing campaigns to social engineering assaults and promoting info illegally on the darkish net. With this stage of entry, malware may be put in on supplier web sites to try to skim bank cards.
How Was The Vulnerability Discovered
On the Honda e-commerce platform, “powerdealer.honda.com” subdomains are assigned to registered sellers. Zveare found that the password reset API on one among Honda’s websites, Energy Tools Tech Specific (PETE), was processing reset requests with out requiring the earlier password.
A sound electronic mail handle was discovered through a YouTube video that offered a demo of the supplier dashboard utilizing a take a look at account. As soon as reset, these login credentials may very well be used on any Honda e-commerce subdomain login portal, offering entry to inside dealership knowledge.
Subsequent, the tester wanted to entry the accounts of actual sellers with out the danger of detection and with no need to reset the passwords of a whole lot of accounts. To do that, Zveare positioned a JavaScript flaw on the platform, the sequential task of consumer IDs, and a scarcity of entry security. As such, reside accounts may very well be discovered by incrementing the consumer ID by one till there weren’t another outcomes.
Lastly, the platform’s admin panel may very well be totally accessed by modifying an HTTP response to make it seem as if the exploited account was an admin.
On April 3, 2023, Honda reported that every one the bugs had been mounted after the findings have been initially reported to them on March 16, 2023. Eaton Zveare acquired no monetary reward for his work because the agency doesn’t have a bug bounty program.
The Significance of E-commerce Software Safety Testing
E-commerce utility security testing is important to guard the non-public and monetary info of everybody linked to the appliance, together with prospects, sellers, and distributors. The frequency of cyberattacks on e-commerce purposes is excessive, which means satisfactory safety is required to stop data breaches that may severely injury the fame of a enterprise and trigger monetary loss.
Regulatory compliance within the e-commerce sector can also be stringent, with knowledge safety turning into business-critical to keep away from monetary penalties. An utility requires extra than simply the most recent security options, each part must be examined and greatest practices adopted to develop a sturdy cybersecurity technique.
Cyber Threats For E-commerce Purposes
- Phishing – Phishing is a sort of social engineering assault that goals to trick victims into clicking a hyperlink to a malicious web site or utility. That is completed by sending an electronic mail or textual content that’s made to look as if it has been despatched from a trusted supply, reminiscent of a financial institution or work colleague. As soon as on the malicious website, customers might enter knowledge reminiscent of passwords or account numbers that will likely be recorded.
- Malware/ Ransomware – As soon as contaminated with malware, a spread of actions can happen on a system, reminiscent of locking individuals out of their accounts. Cybercriminals then ask for fee to re-grant entry to accounts and programs – this is called ransomware. Nevertheless, there’s a wide range of malware that carry out completely different actions.
- E-Skimming – E-skimming steals bank card particulars and private knowledge from fee card processing pages on e-commerce web sites. That is achieved through phishing assaults, brute power assaults, XSS, or maybe from a third-party web site being compromised.
- Cross-Website Scripting (XSS) – XSS injects malicious code right into a webpage to focus on net customers. This code, sometimes Javascript, can report consumer enter or monitor web page exercise to collect delicate info.
- SQL Injection – If an e-commerce utility shops knowledge in an SQL database, then an SQL injection assault can enter a malicious question that enables unauthorized entry to the database’s contents if it’s not correctly protected. In addition to with the ability to view knowledge, it could even be potential to govern it in some instances.
The Totally different Areas of Vulnerability Testing
There are sometimes 8 vital areas of vulnerability testing, and their methodology can then be damaged down into 6 phases.
8 Areas of Vulnerability Testing
- Net Software-Based mostly Vulnerability Evaluation
- API-Based mostly Vulnerability Evaluation
- Community-Based mostly Vulnerability Evaluation
- Host-Based mostly Vulnerability Evaluation
- Bodily Vulnerability Evaluation
- Wi-fi Community Vulnerability Evaluation
- Cloud-Based mostly Vulnerability Evaluation
- Social Engineering Vulnerability Evaluation
The 6 Phases of Vulnerability Evaluation Methodology
- Decide vital and high-risk property
- Carry out a vulnerability evaluation
- Conduct vulnerability evaluation and threat evaluation
- Remediate any vulnerability – E.G., making use of security patches or fixing configuration points.
- Assess how the system may be improved for optimum security.
- Report the outcomes of the evaluation and the actions taken.
Pentesting As A Service (PTaaS)
Penetration Testing as a Service (PTaaS) is a supply platform for normal and cost-effective penetration testing whereas additionally boosting collaboration between testing suppliers and their purchasers. This permits companies and organizations to detect vulnerabilities extra often.
PTaaS vs. Conventional Pen Testing
Conventional penetration testing is completed on a contractual foundation and infrequently takes a big period of time. For this reason this form of testing can solely be carried out a couple of times a yr. PTaaS, alternatively, permits steady testing, whilst typically as each time code is modified. PTaaS performs ongoing, real-time assessments utilizing a mixture of automated scanning instruments and guide methods. This supplies a extra steady strategy to security wants and fills within the gaps that happen with annual testing.
Click on right here to be taught extra about the advantages of PTaaS by requesting a reside demo of the SWAT platform developed by Outpost24.
Conclusion
Cyberattacks on e-commerce web sites happen often, and even platforms constructed by international companies reminiscent of Honda have contained vital vulnerabilities which were found within the final 12 months.
Safety testing is required to evaluate the total assault floor of an e-commerce utility, defending each the enterprise and its customers from cyber assaults like phishing or e-skimming.
Penetration testing as a service is among the greatest methods to guard platforms, performing common scans to supply steady vulnerability assessments to allow them to be mitigated as quickly as potential.