Website error exposes Ford customer data and more

Ford Dealership
(Image credit: Gopixa / Shutterstock)

Security researchers were able to access confidential company and employee records, customer databases, internal tickets and more on Ford's website due to a bug in the automaker's CRM software.

As reported by BleepingComputer, security researchers Robert Willis and break3r first discovered the vulnerability on the company's site before bringing in members of the ethical hacking group Sakura Samurai for additional help.

The bug itself, tracked as CVE-2021-27653, is an information exposure vulnerability that exists in misconfigured instances of Pega Infinity running on Ford's servers. In order to exploit it though, an attacker would first need to gain access to the backend web panel of a misconfigured Pega Chat Access Group portal instance. 

In a blog post, Robert Willis provided further insight on the impact of the vulnerability and how it allowed the security researchers to perform account takeovers, saying:

“The impact was large in scale. Attackers could use the vulnerabilities identified in the broken access control and obtain troves of sensitive records, perform account takeovers, and obtain a substantial amount of data.”

Vulnerability disclosure

While the security researchers reported their findings to Pega back in February of this year and the company promptly addressed the vulnerability in their chat portal, Ford was not as cooperative when the issue was reported to the automaker through its HackerOne vulnerability disclosure program.

Sakura Samurai's John Jackson explained in an email to BleepingComputer that at one point Ford stopped answering the security researcher's questions. In fact, HackerOne had to intervene to get an initial response on their vulnerability submission to the company.

However, it wasn't until the security researchers tweeted about the vulnerability on Ford's website without mentioning any sensitive details before they heard back from HackerOne.

In the end though, the security researchers had to wait a full six months before disclosing the vulnerability themselves due to HackerOne's policy. It's worth noting that Ford doesn't have a bug bounty program so there was no monetary incentive for them to disclose the vulnerability. Instead, they did it out of concern for the automaker's customers.

At this time it is still unclear as to whether or not cybercriminals or any other third-party gained access to the sensitive company and customer data exposed on Ford's website as a result of the vulnerability.

Via BleepingComputer

Anthony Spadafora

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.