Researchers have disclosed a Ford vulnerability in the company’s systems, more specifically the client interaction system known as Pega Infinity had within a not properly configured instance that exposed the network to threat. Pega Infinity is used on the Ford Servers. Through this bug, access to sensitive data was allowed.
How Did the Ford Vulnerability Work?
The Ford vulnerability was classified CVE-2021-27653. Researchers managed when testing it to have access to important data of the company, such as enterprise records and databases. This posed a threat to the organization’s security as hackers could have taken over an account during a cyberattack. The bug was caused due to an improperly configured instance located in the Pega Infinity system.
According to the information experts shared with BleepingComputer, the vulnerability in the Ford system worked and could have been exploited this way:
- The hacker would take an instance of the Pega Chat Access Group portal that is not properly configured.
- Then he would look for its backend panel in order to access it.
- They would start providing URL arguments that are basically various payloads.
- This way, threat actors could perform a series of malicious actions: database tables retrieval, gain access to OAuth tokens, take advantage of admin rights and also execute queries.
The impact was large in scale. Attackers could use the vulnerabilities identified in the broken access control and obtain troves of sensitive records, perform account takeovers, and obtain a substantial amount of data.
What Is Pega Infinity?
Pega Infinity stands basically for a CRM tool (customer relationship management) that has artificial intelligence and robotic automation capabilities that help improve and maintain the customer engagement concept.
Who Discovered the Ford Vulnerability?
Researchers Robert Willis and break3r were the ones who identified the Ford vulnerability. Later on, the ethical hacking group dubbed Sakura Samurai investigated this issue too and supported the experts’ theories. Among members of the group that involved themselves in research upon the matter, we can name John Jackson, Jackson Henry, and Aubrey Cottle.
What Data Was Exposed
According to Robert Willis’ report, the Ford vulnerability found in the Pega services running on their system allowed experts to have access to a set of confidential data. This data included Personal Identifiable Information (PII) such as records of customers and employees, names of databases and tables, tokens for OAuth access, account numbers related to the finance domain, history of the search bar, different user profiles, pulse actions, or internal interfaces.
However, even if this Ford vulnerability in Pega systems is disclosed only now, the issue was reported to Pega back in February 2021. Close to that date, researchers used HackerOne, Ford’s vulnerability disclosure program, to announce Ford on the matter.
Experts shared with Bleeping Computer Publication that the communication did not go too well as it took 6 months to reveal now publicly the bug. After the bug was remediated, Ford ignored the request of the researchers when they wanted to publicly disclose their findings and according to HackingOne platform’s policy, they had to wait six months to legally have the right to make this public. Besides, the bug disclosure program of the company Ford does not offer monetary rewards for researchers who discover a vulnerability. Making it public was the only way experts could somehow gain recognition for their effort.
Mitigation Measures
After the Ford vulnerability was reported to the company, mitigation measures were implemented. Systems were off within 24 hours, but the researchers claimed that the endpoint could still be accessed. If data breaches were performed by cybercriminals via this vulnerability is not yet confirmed or known at the present moment.