Honda Car India has been exposed to sensitive sensitive personal information for over 50,000 users on two AWS S3 servers, according to a report released today at Kromtech Security. The two servers in the Amazon web service (AWS) contained the personal data of the users who installed Honda Connect, a mobile application developed by Honda Car India.
Honda Connect is a typical application for managing various remote access processes that allows users to interact with Honda’s smart cars, but also to collaborate and interact with the services provided by Honda Car India.
Names, passwords, and other sensitive information were revealed.
Bob Diachenko, a security researcher at Kromtech who discovered the vulnerabilities and exposed information, came into contact with Honda, telling her that her servers exposed customers’ personal data and that they contained the following types of information:
⦁ Name of customer
⦁ Phone numbers
⦁ E-mail addresses
⦁ Account access codes
⦁ VIN of cars
⦁ and many more
The information has been exposed on the internet for 3 months. But Diachenko was not the first to discover the specific problem of Honda India. Diachenko says that when he first encountered the problem on servers, he already contained an installed file named poc.txt.
This is an automated file created by a security researcher named Robbie Wiggins. For nearly a year now, Wiggins scans the internet for AWS S3 servers and when it finds vulnerabilities it leaves this message to unsafe servers. Wiggins takes this action to alert server owners and urge them to take action before a hacker gets access to that data.
Diachenko reports that the time stamp of Wiggins was on February 28, 2018, about three months ago.
“Honda Car India has not even found that this security researcher has added this note to its servers,” Diachenko noted. “There is no excuse for this, and it clearly shows that things are running on the autopilot without any monitoring.”
The Kromtech researcher, meanwhile, has personally notified Honda Car of the exposed customer information, which is now safe. However, the process was not easy. Diachenko told Texnologia.Net that it took almost two weeks to get in touch with the company to bring things back to their psychological state.