Security researcher Justin Paine discovered an unprotected Elasticsearch instance belonging to Honda, which was publicly accessible without any authentication.
What was exposed?
The researcher noted that the information contained in the open database appears to be something like an inventory of all Honda internal machines.
“If an attacker is looking for a way into Honda's network knowing which machines are far less likely to identify/block their attacks would be critical information. These "uncontrolled machines" could very easily be the open door into the entire network,” Paine said.
Paine noted that the data was being updated every day with approximately 40,000 new entries containing information on Honda employees and their systems.
What was the response?
Justin Paine discovered the leaky database on July 4, 2019, and notified Honda about the issue on July 6, 2019. The database was found to be left open for almost 6 days from July 1, 2019, and was secured on July 6, 2019, nearly 10 hours after Paine notified the owner about the database.
“Thank you very much for pointing out the vulnerability. The security issue you identified could have potentially allowed outside parties to access some of Honda’s cloud-based data that consisted of information related to our employees and their computers. We investigated the system’s access logs and found no signs of data download by any third parties. At this moment, there is no evidence that data was leaked, excluding the screenshots taken by you. We will take appropriate actions in accordance with relevant laws and regulations, and will continue to work on proactive security measures to prevent similar incidents in the future,” Honda told Paine in a statement.