The Ford Motor company, a well-known leader in the automotive industry, encountered a vulnerability culminating in data exposure. Researchers first spotted the bug in February of 2021, at which point it was disclosed to the auto manufacturer. Since then, employee and customer data may have been compromised.
The Ford vulnerability
The vulnerability exists due to the CVE-2021-27653 bug, which is an information exposure vulnerability that occurs in tandem with misconfigured instances of the Pega Infinity customer management system.
If interested in exploiting the bug, a hacker could obtain access to the backend web panel of a misconfigured Pega Chat Access Group Portal instance, wreaking havoc from that access point. A determined hacker could run queries, retrieve database tables, execute admin actions and more.
What is Pega Infinity?
Pega Infinity functions as a CRM (customer relationship management) tool. It offers artificial intelligence and robotic automation capacities that allow for simplified relationship and engagement management.
Ford vulnerability disclosure
Discovered by Robert Willis and break3r, the vulnerability received further exploration and validation from members of the Sakura Samurai ethical hacking group.
Was your data breached?
Researchers determined that exposed information included:
- Customer and employee data
- Financial information
- Database names and tables
- Search bar history
- Internal interfaces
- Internal user profiles
- Pulse actions
- Support ticket information
- OAuth access tokens
As a result, hackers retained the capacity to run account takeovers and to exfiltrate significant volumes of data.
Researchers first disclosed this vulnerability in February of this year. However, experts state that Ford’s response lagged. “At one point in time, they completely stopped answering our questions. It took HackerOne mediation to get an initial response on our vulnerability submission from Ford,” stated John Jackson, a researcher involved with the issue.
According to Ford, systems were taken offline shortly following receipt of a private message concerning the issue. Nonetheless, researchers state that endpoints continued to remain vulnerable afterwards.
Experts and authorities do not yet have information regarding whether or not the bug saw exploit in the wild. Similarly, it’s not yet known as to whether any employee or client data was nefariously accessed or leaked online.