Due to a wrong setting at Ford Motor, hackers had free rein to consult all kinds of companies and privacy-sensitive. Malicious persons had access to the databases containing customer data, private data of employees, the internal ticketing system and competitively sensitive information. It was also possible to take over accounts of customers and employees remotely.
The leak came to light this week after the disclosure of security specialist Robert Willis and white-hat hacker break3r. Their findings were verified and validated by members of the ethical hacker group Sakura Samurai. Due to a misconfiguration in the Pega Infinity customer engagement system, which runs Ford’s servers, customer and company data was accessible. The vulnerability has been renamed CVE-2021-27653.
To exploit this exploit, an attacker needed to access the backend web panel of a misconfigured Pega Chat Access group portal. By delivering a payload, hackers were able to perform searches, extract data from databases, obtain access tokens and perform “administrative actions.”
In this way, private data of customers and employees were up for grabs. According to the security researchers, it was highly sensitive data that could be traced back to individual people. Financial data, user profiles and search history of Ford employees and the internal customer service ticketing system were also accessible to hackers and other malicious parties.
“The impact was huge. Attackers were able to exploit the vulnerabilities identified in the broken access control and seize troops of sensitive files, perform account takeovers and obtain a significant amount of data,” writes Robert Willis on his blog on the topic.
The vulnerability was discovered in February of this year by the security specialist and ethical hacker. They passed this on to Pega, who in turn quickly closed it. Through the HackerOne vulnerability disclosure program, the discoverers notified Ford. Communication with the car manufacturer was anything but smooth, they tell BleepingComputer. “At a certain point, we got no response at all to our questions. It was only through HackerOne that we got a first response to the Ford vulnerability we discovered,” said John Jackson of Sakura Samurai.
When the leak was exposed by the security researchers, they asked Ford if they could write about it openly. Ford did not respond to this request for months. Mediation by HackerOne also offered no solution. Jackson says they were forced to wait six months before saying anything about the leak. Under the terms of Ford’s vulnerability disclosure program, the company will no longer have to pay out money for vulnerabilities and security risks after six months. In response, Ford said the investigators’ findings were an internal matter and “considered private.”
It is unknown whether hackers or other malicious parties have actually consulted or stolen customer data or company information. Ford declined to comment on the story.
Ford is not the only car manufacturer where information security was not in order. In June, hackers managed to steal customer data from American and Canadian customers who had bought a car from Volkswagen or Audi. A supplier Volkswagen does business with collected customer data from US and Canadian car buyers for sales and marketing purposes between 2014 and 2019. Hackers managed to get hold of data from 3.3 million customers. Volkswagen declined to confirm whether this number was correct but acknowledged that “limited personal information” was stolen by unauthorized persons.
A lot of personal data was stolen during the data breach. In addition to first and last names, residential and e-mail addresses and telephone numbers, the attackers also managed to retrieve license plate information. Even more, privacy-sensitive data was stolen from a group of 90,000 customers, including dates of birth, identification numbers and information about cars sold. Financial data that customers had to provide to prove their liquidity also ended up in the hands of the perpetrators.
The dataset contained 1.8 million units of car sales information and over 3.8 million leads. It was offered for sale on the dark web for $4,000 to $5,000. Volkswagen warned customers about phishing and identity theft.
Catch up on more articles here
Follow us on Twitter here