Ford bug reveals customer and employee data from internal systems

A flaw in Ford Motor Company’s website enabled access to critical systems and the acquisition of confidential data such as customer databases, employee records, internal tickets, etc.

 

A misconfigured instance of Pega Infinity customer engagement system operating on Ford’s servers was the source of the data leak.

 

The researchers have revealed a vulnerability discovered on Ford’s website that allowed them to view confidential company records, databases, and take over accounts.

 

The vulnerability was found by researchers Robert Willis and break3r, with further confirmation and support from members of the Sakura Samurai ethical hacking group—Aubrey Cottle, Jackson Henry, and John Jackson.

 

CVE-2021-27653, an information exposure vulnerability in inadequately configured Pega Infinity customer management system instances, is to blame for the problem.

 

Customer and employee records, Finance account numbers, Database names and tables, OAuth access tokens, Internal support tickets, User profiles within the organisation, Pulse actions, Internal interfaces, and Search bar history, according to the researchers, were among the exposed assets that contained sensitive Personal Identifiable Information (PII).

 

According to Willis, the impact is considerable, and attackers might exploit the vulnerabilities discovered in the broken access control to gain sensitive documents, perform account takeovers, and obtain a significant amount of data.

 

The researchers disclosed their findings to Pega in February 2021, and the company swiftly corrected the CVE in its chat platform.

 

Around the same time, the problem was reported to Ford via their HackerOne vulnerability disclosure program.

 

Despite the fact that Ford took the endpoints offline within 24 hours of the report, the researchers noted in the same report that the endpoints were still accessible after that, and recommended additional evaluation and remediation.

 

It’s unclear whether any threat actors used the flaw to breach Ford’s systems, or if sensitive customer/employee PII was accessed.

 

You might also like:

 

Volkswagen suffers massive data breach: 3.3 million customers impacted

Mercedes-Benz data breach: Customer details exposed