When you buy stuff online, most websites will let you view the status of your order. This page usually includes your address, phone number, and details of what you ordered. Typically, the order status page is shielded from public view either by a login page or complex encoding. Neither appeared to be in use by a major Honda parts website, which has been inadvertently leaving personal user information, including phone numbers and credit card information, open for viewing by anyone on the internet.
The Autopian was tipped off by a Honda customer who had recently ordered a Motocompacto. They visited the Honda Dreamshop parts site to determine the status of their order, a wise move after many orders were canceled early on. Checking an order is done by entering two out of three of the following on Dreamshop’s Find My Order page: order number, email address, or billing zipcode. Once submitted, the user is taken to a URL for their order ID, where they can see all the relevant information.
Sounds secure? Not in the slightest. A wily ten-year-old could crack this one wide open. Here are a few orders we were able to source almost instantly (we’ve blurred all the personal information because we’re not jerks).
The problem is that there was no obvious authentication used on the website. All one had to do was swap out the order ID in the URL for another number, and boom! It’s possible to see all the details of other customers who have bought parts on the Dreamshop site.
The order page contains a customer’s name, billing address, shipping address, phone number, and email address. It also includes a full list of parts ordered and details of the dealership that took the order. Finally, both the credit card type and last four digits of the user’s credit card are also openly visible.
Upon verifying, The Autopian immediately notified Honda of the issue and held publication of this story until it was verified to be resolved or at least no longer easily discovered. Screenshots shown in this article have been redacted to maintain the privacy of affected individuals. We notified Honda late on Sunday night, and the company replied approximately 18 hours later saying it had removed the visible orders. The pages now read: “This page is currently under maintenance. Apologies for the inconvenience. Please check your email for order details.” As for a statement from Honda, we will update this story as soon as the company has one for us.
Update (Nov 13, 2023 18:57 ET): Here’s a statement from Honda:
American Honda is aware of a potential vulnerability in the Honda Dream Shop website that may have exposed limited customer information to unauthorized users. We take the security and privacy of our customers very seriously and took quick action to temporarily disable one function on the website – the order search page – as a precautionary measure. We are working diligently to investigate and resolve the issue as soon as possible, but the rest of the website is functioning normally, including the ability to securely order a Motocompacto. We apologize for any inconvenience this may cause to our customers and we appreciate their patience and understanding. We will provide further updates as we continue our investigation.
The common sense expectation of most consumers is that any page that shows personal information needs to be behind some kind of wall or, at least, secured by something more complex than an easily guessable number. Someone at Honda seemingly tried to implement this when they set up a form requiring two out of three: an order number, email address and zipcode. Without that information, the Find My Order page won’t take you to the URL for your order status.
The problem is that the order status page itself had no authentication. Thus, anyone could easily guess order numbers and take data at will. Honda did not appear to use any kind of encoding for the order IDs like other websites. A base 64 encoding might produce something like: “aHR0cHM6Ly93d3cudGhlYXV0b3BpYW4uY29tLw==” as a difficult-to-surmise order ID. Instead, the orders were just a series of five numbers with no letters or special characters.
There are other strategies that can catch slip-ups like these, too. An administrator could set up the server hosting the order status pages with rate limiting. If someone tried to access order statuses too quickly, it would shut off access and raise an alarm to Honda’s personnel. This is a common method that IT security staff use to catch accidental leaks when hackers try to scrape data from a site. It’s not clear whether or not this system is in place, but we were able to query multiple orders.
After receiving the tip, The Autopian worked to verify the leak and the potential affected population. Research revealed orders as early as March this year were accessible on the site, as well as orders made within the last few days. However, the search was non-exhaustive, and customers may be affected outside of those dates. Despite the anonymous tipster finding the leak accidently as they looked into their Motocompacto order, the affected customer base is much wider. Based on the orders we viewed, we estimate thousands to tens of thousands of customers had their details openly posted online. Both completed and canceled orders had details posted on the site, with customers ordering everything from scooters to trim pieces and transmissions.
“It looks like Honda was hoping that obscurity was good enough security, which is unfortunately more common than you’d like to think with e-commerce websites.” said the e-commerce engineer.
If you’re not tech-savvy, here’s what you need to know: Basically, Honda’s site made it easy for anyone to view the names, purchases, partial credit card information, and addresses of customers. Any high-schooler with the ability to write Python could have likely scraped the lot in a few hours, longer if they tried to do so without raising the alarm.
Whether the site has been scraped to harvest all the available data is impossible to know without a detailed inspection of Honda’s server logs. In any case, if you’ve ordered parts from Honda’s Dreamshop site, or if you suspect a dealer has done so for you, there are some precautions you could take. There are basic steps to follow to minimize the chance of malicious actors stealing your identity or compromising your personal accounts.
If you’ve been affected by this leak, let us know in the comments or via an email to firstname.lastname@example.org. You can of course remain anonymous.
Additional reporting by Matt Hardigree