Case #13: Leaking shopping data

No one can see what you are shopping online, right?

Published: Mon, November 13, 2017, 20:40
Security Monday
Information leak

tl;dr 🔗

GoShopping - a company owning several online stores - let anyone see all your previous orders and order lines using just your e-mail address.

Summary 🔗

Who: GoShopping
Severity level: Low to medium
Reported: July 2017
Reception and handling: Poor
Status: Fixed
Reward: A thank you
Issue: Leak with all order details

Background 🔗

I recently returned to KitchenOne to buy some accessories to my coffee machine. I didn't have any account (I don't think you can have), but was a bit relieved and surprised when I during checkout could just enter my e-mail address and it would fill out my name, address and phone number.

That made me think. Is it OK that anyone can enter my e-mail address to a service and get back my full name, address and phone number? And maybe there could be more than meets the eye?

Approach (technical stuff) 🔗

When I was at the checkout step I opened Vivaldi developer tools to inspect the network traffic. There was a Ajax call to the mother site GoShopping's CMS (they're using the open source ASP.NET CMS Umbraco) returning some JSON with the name, address and phone number. But the JSON contained more. It contained my previous order in full details including all items that I bought. And even my payment information was included.

Security issues 🔗

The service for looking up the address from the e-mail address leaked the following information:

  • Seemingly all orders
  • For an order there was this information:
    • The date of the purchase
    • Each and all products ordered
    • Any discount
    • Name and address used for payment (in addition to the one used for delivery)
    • Credit card number with PAN truncation

And then there's the question if the user wants it to be possible to look up his or her name, address and phone number using their e-mail address. What if you have some kind of unlisted address? This part has not been fixed, but is assumingly working as intended.

Reception and handling 🔗

Day zero 🔗

Monday night I sent an e-mail telling about the leak.

Day 3 🔗

I got an e-mail back telling that they would look into the issue.

Day 79 🔗

Having not heard anything back and not seeing any fixes I asked them for a status. I did not receive any reply on this e-mail.

Day 91 🔗

I told them I would write about the case here on my blog that very same day.

10 minutes(!) later I got a reply telling that the issue would be fixed some time the week after. As a believer in responsible disclosure I decided to wait for them to release the fix.

Day 10X 🔗

I tested the leaking endpoint and found that it was fixed.

Would they have relased any fix if I didn't tell them I was going to do a write-up? I'm not so sure about that.

Similar case 🔗

I discovered a similar less severe case with Power in September. Power is a chain selling consumer electronics. When you check out you can specify your phone number. If you have been shopping there sometime before they can fill out the check out form with name, and address. Seems okay, right?

There's a couple of problems here. The first one is that they also returned the customer's e-mail address. And this was what I complained about in my tweet to Power. They have recently fixed this and removed the e-mail address for the data returned.

The second problem is like in this case. Okay, so the company removes the biggest issue, but have you agreed to that it should be possible to look up your name and address using your e-mail address or phone number? What if you have an unlisted phone number? What if you have an unlisted address?

Conclusion 🔗

This case is a classic example of server endpoints returning more data than what is shown to the user - and this time the data really shouldn't be there.

I don't like when it takes more than 3 months to fix something that seemingly is so easy to fix. And I'm not sure they would have fixed this at all if I hadn't been following them up and if I hadn't had this blog. At least now the users' data is more secure.

Get notified when there are new posts! :-)