Website error exposes Ford customer data and more
Unpatched vulnerability allowed security researchers to access sensitive company and customer data
When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.
Security researchers were able to access confidential company and employee records, customer databases, internal tickets and more on Ford’s website due to a bug in the automaker’sCRMsoftware.
AsreportedbyBleepingComputer, security researchers Robert Willis and break3r first discovered the vulnerability on the company’s site before bringing in members of the ethical hacking groupSakura Samuraifor additional help.
The bug itself, tracked asCVE-2021-27653, is an information exposure vulnerability that exists in misconfigured instances of Pega Infinity running on Ford’s servers. In order to exploit it though, an attacker would first need to gain access to the backend web panel of a misconfigured Pega Chat Access Group portal instance.
In ablog post, Robert Willis provided further insight on the impact of the vulnerability and how it allowed the security researchers to performaccount takeovers, saying:
“The impact was large in scale. Attackers could use the vulnerabilities identified in the broken access control and obtain troves of sensitive records, perform account takeovers, and obtain a substantial amount of data.”
Vulnerability disclosure
While the security researchers reported their findings to Pega back in February of this year and the company promptly addressed the vulnerability in their chat portal,Fordwas not as cooperative when the issue was reported to the automaker through its HackerOne vulnerability disclosure program.
Sakura Samurai’s John Jackson explained in an email toBleepingComputerthat at one point Ford stopped answering the security researcher’s questions. In fact,HackerOnehad to intervene to get an initial response on their vulnerability submission to the company.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
However, it wasn’t until the security researchers tweeted about the vulnerability on Ford’s website without mentioning any sensitive details before they heard back from HackerOne.
In the end though, the security researchers had to wait a full six months before disclosing the vulnerability themselves due to HackerOne’s policy. It’s worth noting that Ford doesn’t have abug bounty programso there was no monetary incentive for them to disclose the vulnerability. Instead, they did it out of concern for the automaker’s customers.
At this time it is still unclear as to whether or not cybercriminals or any other third-party gained access to the sensitive company and customer data exposed on Ford’s website as a result of the vulnerability.
ViaBleepingComputer
After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.
This dangerous new malware is hitting Windows devices by hiding in games
Windows PCs targeted by new malware hitting a vulnerable driver
Steps to take when your phone number is publicly listed online
