Safety researchers had been in a position to entry confidential firm and worker data, buyer databases, inside tickets and extra on Ford’s web site resulting from a bug within the automaker’s CRM software program.
As reported by BleepingComputer, safety researchers Robert Willis and break3r first found the vulnerability on the corporate’s website earlier than bringing in members of the moral hacking group Sakura Samurai for extra assist.
The bug itself, tracked as CVE-2021-27653, is an info publicity vulnerability that exists in misconfigured cases of Pega Infinity working on Ford’s servers. With a view to exploit it although, an attacker would first want to achieve entry to the backend internet panel of a misconfigured Pega Chat Entry Group portal occasion.
In a weblog publish, Robert Willis supplied additional perception on the impression of the vulnerability and the way it allowed the safety researchers to carry out account takeovers, saying:
“The impression was massive in scale. Attackers might use the vulnerabilities recognized within the damaged entry management and procure troves of delicate data, carry out account takeovers, and procure a considerable quantity of information.”
Whereas the safety researchers reported their findings to Pega again in February of this yr and the corporate promptly addressed the vulnerability of their chat portal, Ford was not as cooperative when the problem was reported to the automaker via its HackerOne vulnerability disclosure program.
Sakura Samurai’s John Jackson defined in an electronic mail to BleepingComputer that at one level Ford stopped answering the safety researcher’s questions. In truth, HackerOne needed to intervene to get an preliminary response on their vulnerability submission to the corporate.
Nonetheless, it wasn’t till the safety researchers tweeted in regards to the vulnerability on Ford’s web site with out mentioning any delicate particulars earlier than they heard again from HackerOne.
Ultimately although, the safety researchers needed to wait a full six months earlier than disclosing the vulnerability themselves resulting from HackerOne’s coverage. It is value noting that Ford would not have a bug bounty program so there was no financial incentive for them to reveal the vulnerability. As a substitute, they did it out of concern for the automaker’s clients.
Presently it’s nonetheless unclear as as to whether or not cybercriminals or some other third-party gained entry to the delicate firm and buyer knowledge uncovered on Ford’s web site because of the vulnerability.