Ford has recently patched a serious vulnerability affecting its servers that potentially exposed sensitive internal documents and databases. Exploiting this vulnerability would have allowed an adversary access to internal company information and take over accounts.
Ford Servers Vulnerability Exposing Sensitive Data…
Specifically, a group of researchers discovered how Ford servers exposed internal company information due to a vulnerability.
As explained in a blog post by Robert Willis, who first discovered the bug and later involved more researchers, the issue basically existed in the Pega Infinity CMs running on Ford’s servers. The vulnerability was actually a misconfiguration of Pega instances that exposed internal data publicly.
This vulnerability has received the CVE ID CVE-2021-27653 and a medium severity rating. As described,
Misconfiguration of the Pega Chat Access Group portal in Pega platform 7.4.0 – 8.5.x could lead to unintended data exposure.
Nonetheless, the actual impact of the bug in the case of an exploit could have been devastating for the firm. An adversary could easily access customers’ and employees’ personal data and sensitive company documents. According to Willis,
During the research, a lack of access control in Pega services was noticed, which allowed for information disclosure — which included PII. Data retrieved included employee email addresses and information, O-Auth Access Tokens, finance account numbers, tickets within the work queue, user profiles within the organization, pulse actions, database tables and names, specific ticketing information and search bar history, internal interfaces, etc.
… Took Six Months For Ford To Address
Upon finding the earlier, the researchers reached out to the vendors who strived to downplay the report.
According to the initial disclosure from Robert Willis in March 2021, despite the critical nature, the vulnerability only received a medium severity rating.
Nonetheless, Pega at least fixed the vulnerability, as evident from their advisory.
However, despite reporting the bug to Ford via their HackerOne VDP around the same time, the firm didn’t pay much attention.
As they told Bleeping Computer, they had to wait for months as Ford hindered a public disclosure even after resolution.
At one point in time, they completely stopped answering our questions. It took HackerOne mediation to get an initial response on our vulnerability submission from Ford…
When the vulnerability was marked as resolved, Ford ignored our disclosure request. Subsequently, HackerOne mediation ignored our request for help disclosing…
We had to wait the full six months to force disclose per HackerOne’s policy out of fear of the law and negative repercussions.
For now, no further statement has arrived from Ford regarding the mishandling of this case and the potential security risks.
Let us know your thoughts in the comments.