A flaw on Ford Motor Company’s website permitted for accessing critical systems and accessing custody information, such as customer database, employee records, internal tickets, etc.
The data revealed arises from a misconfigured instance of the Pega Infinity customer engagement system running on Ford’s servers.
From Data Exfiltration to Account Takeovers
This week, investigators have revealed a vulnerability found on Ford’s website that permits them to peek into confidential company records, databases and execute account takeovers. This vulnerability was founded by Robert Willis and break3r, with further acceptance and support facilitated by members of Sakura Samurai the ethical hacking group – Aubrey Cottle, Jackson Henry, and John Jackson.
The issue is caused by CVE-2021-27653, detailed exposure vulnerability in improperly configured Pega Infinity customer management system instances. Investigators also shared many screenshots of Ford’s internal systems and database with our experts. Such as the Company’s Ticketing System is shown below:
To exploit the issues, the threat actor would first have to access the backend web panel of a misconfigured Pega Chat Access Group portal instance:
https://www.rpa-pega-1.ford.com/prweb/PRChat/app/RPACHAT_4089/bD8qH******bIw4Prb*/!RPACHAT/$STANDARD
As seen by our experts, different payloads facilitated as URL arguments could enable threat actors to execute queries, retrieve database tables, OAuth access tokens, and execute administrative actions. The researchers state that some of the revealed assets contained critical Personal Identifiable Information (PII), and consisted of:
- Customer and employee records
- Finance account numbers
- Database names and tables
- OAuth access tokens
- Internal support tickets
- User profiles within the organization
- Pulse actions
- Internal interfaces
- Search bar history
“The impact was large in scale. Threat actors could utilize the vulnerabilities discovered in the broken access control and generate troves of critical records, perform account takeovers, and obtain a substantial amount of information,” Willis states in a blog posting.
Took six months to ‘Force-Disclose’
In February 2021, the investigators had reported their searches to Pega that fixed the CVE in their chat portal relatively quickly. The concern was also reported to Ford around a similar time via their HackerOne vulnerability disclosure program. But the researcher told our experts that communications from Ford was thin and a bit faded as the responsible disclosure timeline progressed:
“At one point in time, they absolutely stopped answering the questions. It seems that HackerOne arbitration to get the first response on our responsibility submission from Ford,” John Jackson told our experts in an email interview. Jackson told that as the disclosure timeline progressed further, the investigator heard back from HackerOne only after tweeting about the bug, but without giving out any critical details:
“When the vulnerability was marked as resolved, Ford ignored our disclosure request. Subsequently, HackerOne mediation ignored our request for help disclosing which can be seen in the PDF.”
“We had to wait the full six months to force disclose per HackerOne’s policy out of fear of the law and negative repercussions,” continued Jackson. At this time, Ford’s vulnerability disclosure program does not offer monetary incentives or bug bounties, so a coordinated disclosure in light of public interest was the only “reward” researchers were hoping for.
A copy of the disclosure report shared with our experts shows Ford refrained from commenting on specific security-related actions. “The findings you submitted… are considered private. These vulnerability reports are intended to prevent compromises which may require disclosure.”
“In this scenario, the system was taken offline shortly after you submitted your findings to HackerOne,” Ford shared with HackerOne and the researchers, as per the discussion in the PDF. Although the endpoints were taken offline by Ford within 24 hours of the report, the researchers comment in the same report that the endpoints remained accessible even afterward, and requested another review and remediation.
It is not yet known if any threat actors exploited the vulnerability to breach systems at Ford, or if the sensitive customer/employee PII was accessed. Our experts reached out to Ford multiple times well in advance of publishing but we did not hear back.
