Cyberattacks Targeting E-commerce Applications
Cyber attacks on e-commerce applications are a common trend in 2023 as e-commerce businesses become more omnichannel, they build and deploy increasingly more API interfaces, with threat actors constantly exploring more ways to exploit vulnerabilities. This is why regular testing and ongoing monitoring are necessary to fully protect web applications, identifying weaknesses so they can be mitigated quickly.
In this article, we will discuss the recent Honda e-commerce platform attack, how it happened, and its impact on the business and its clients. In addition, to the importance of application security testing, we will also discuss the different areas of vulnerability testing and its various phases.
Finally, we will provide details on how a long-term preventative solution such as PTaaS can protect e-commerce businesses and the differences between continuous testing (PTaaS) and standard pen testing.
Honda’s power equipment, lawn, garden, and marine products commerce platform contained an API flaw that enabled anyone to request a password reset for any account.
The vulnerability was found by researcher Eaton Zveare who recently discovered a major security flaw within Toyota’s supplier portal. By resetting the password of higher-level accounts, a threat actor was provided with admin-level data access on the firm’s network without restriction. If discovered by a cybercriminal, this would have resulted in a large-scale data breach with huge ramifications.
Zverare said: “Broken/missing access controls made it possible to access all data on the platform, even when logged in as a test account.”
This allowed the tester to access the following information:
With the above information, cybercriminals could perform a range of activities, from phishing campaigns to social engineering attacks and selling information illegally on the dark web. With this level of access, malware could also be installed on dealer websites to attempt to skim credit cards.
On the Honda e-commerce platform, “powerdealer.honda.com” subdomains are assigned to registered dealers. Zveare discovered that the password reset API on one of Honda’s sites, Power Equipment Tech Express (PETE), was processing reset requests without requiring the previous password.
A valid email address was found via a YouTube video that provided a demo of the dealer dashboard using a test account. Once reset, these login credentials could be used on any Honda e-commerce subdomain login portal, providing access to internal dealership data.
Next, the tester needed to access the accounts of real dealers without the risk of detection and without needing to reset the passwords of hundreds of accounts. To do this, Zveare located a JavaScript flaw on the platform, the sequential assignment of user IDs, and a lack of access security. As such, live accounts could be found by incrementing the user ID by one until there weren’t any other results.
Finally, the platform’s admin panel could be fully accessed by modifying an HTTP response to make it appear as if the exploited account was an admin.
On April 3, 2023, Honda reported that all the bugs had been fixed after the findings were initially reported to them on March 16, 2023. Eaton Zveare received no financial reward for his work as the firm does not have a bug bounty program.
E-commerce application security testing is essential to protect the personal and financial information of everyone linked to the application, including customers, dealers, and vendors. The frequency of cyberattacks on e-commerce applications is high, meaning adequate protection is needed to prevent data breaches that can severely damage the reputation of a business and cause financial loss.
Regulatory compliance in the e-commerce sector is also stringent, with data protection becoming business-critical to avoid financial penalties. An application requires more than just the latest security features, every component needs to be tested and best practices followed to develop a robust cybersecurity strategy.
There are typically 8 critical areas of vulnerability testing, and their methodology can then be broken down into 6 phases.
Penetration Testing as a Service (PTaaS) is a delivery platform for regular and cost-effective penetration testing while also boosting collaboration between testing providers and their clients. This allows businesses and organizations to detect vulnerabilities more frequently.
Traditional penetration testing is done on a contractual basis and often takes a significant amount of time. This is why this sort of testing can only be performed once or twice a year. PTaaS, on the other hand, enables continuous testing, even as often as every time code is changed. PTaaS performs ongoing, real-time assessments using a combination of automated scanning tools and manual techniques. This provides a more continuous approach to security needs and fills in the gaps that occur with annual testing.
Click here to learn more about the benefits of PTaaS by requesting a live demo of the SWAT platform developed by Outpost24.
Cyberattacks on e-commerce websites occur frequently, and even platforms built by global businesses such as Honda have contained critical vulnerabilities that have been discovered in the last 12 months.
Security testing is required to assess the full attack surface of an e-commerce application, protecting both the business and its users from cyber attacks like phishing or e-skimming.
Penetration testing as a service is one of the best ways to protect platforms, performing regular scans to provide continuous vulnerability assessments so they can be mitigated as soon as possible.
Sign up for free and start receiving your daily dose of cybersecurity news, insights and tips.
source
