Honda Car India has left the personal details of over 50,000 users exposed on two public Amazon S3 buckets, according to a report published today Kromtech Security.
The two AWS buckets contained the personal details of users who downloaded and installed Honda Connect, a mobile app developed by Honda Car India.
Honda Connect is your typical remote car management app, which allows users to interact with their Honda smart cars, but also to contract and interact with services provided by Honda Car India.
As such, across time, the app had collected and stored vasts amounts of personal data about Honda India's customers and their respective cars.
Bob Diachenko, the Kromtech security researcher who found the exposed S3 buckets and contacted Honda, says the servers contained the following types of user and car information:
But Diachenko wasn't the first to discover Honda India's S3 buckets. Diachenko says that when he came across the exposed buckets, they already contained a file named poc.txt with the following message.
This is an automated file created by a security researcher named Robbie Wiggins. For almost a year now, Wiggins has been scanning the Internet for AWS S3 buckets with incorrect permissions and leaving this message on unsecured servers. Wiggins has been doing this to warn server owners and urge them to secure servers before someone hijacks or ransoms their data.
Diachenko says the timestamp on Wiggins' file was February 28, 2018, three months and one day ago.
"Honda Car India didn't even notice that a security researcher added a note to their buckets," Diachenko noted. "There is no excuse for that, it clearly illustrates that they are simply running on auto-pilot with no monitoring at all."
The Kromtech researcher has, in the meantime, personally notified Honda Car India about their leaky S3 buckets, which are now secured. Nonetheless, the process wasn't easy. Diachenko told Bleeping Computer that it took almost two weeks to get in contact with the company and have it secure its users' data.
So, finally, @HondaCarIndia secured those two buckets (that I know of). Thank you to my followers, and specifically to @Random_Robbie and @fs0c131y for assisting in getting @Honda attention on this issue. We will publish incident report shortly. pic.twitter.com/74PIhorIuw— Bob Diachenko (@MayhemDayOne) May 29, 2018