No one can see what you are shopping online, right?
|Published:||Mon, November 13, 2017, 20:40|
GoShopping - a company owning several online stores - let anyone see all your previous orders and order lines using just your e-mail address.
|Severity level:||Low to medium|
|Reception and handling:||Poor|
|Reward:||A thank you|
|Issue:||Leak with all order details|
I recently returned to KitchenOne to buy some accessories to my coffee machine. I didn't have any account (I don't think you can have), but was a bit relieved and surprised when I during checkout could just enter my e-mail address and it would fill out my name, address and phone number.
That made me think. Is it OK that anyone can enter my e-mail address to a service and get back my full name, address and phone number? And maybe there could be more than meets the eye?
When I was at the checkout step I opened Vivaldi developer tools to inspect the network traffic. There was a Ajax call to the mother site GoShopping's CMS (they're using the open source ASP.NET CMS Umbraco) returning some JSON with the name, address and phone number. But the JSON contained more. It contained my previous order in full details including all items that I bought. And even my payment information was included.
The service for looking up the address from the e-mail address leaked the following information:
And then there's the question if the user wants it to be possible to look up his or her name, address and phone number using their e-mail address. What if you have some kind of unlisted address? This part has not been fixed, but is assumingly working as intended.
Monday night I sent an e-mail telling about the leak.
I got an e-mail back telling that they would look into the issue.
Having not heard anything back and not seeing any fixes I asked them for a status. I did not receive any reply on this e-mail.
I told them I would write about the case here on my blog that very same day.
10 minutes(!) later I got a reply telling that the issue would be fixed some time the week after. As a believer in responsible disclosure I decided to wait for them to release the fix.
I tested the leaking endpoint and found that it was fixed.
Would they have relased any fix if I didn't tell them I was going to do a write-up? I'm not so sure about that.
I discovered a similar less severe case with Power in September. Power is a chain selling consumer electronics. When you check out you can specify your phone number. If you have been shopping there sometime before they can fill out the check out form with name, and address. Seems okay, right?
There's a couple of problems here. The first one is that they also returned the customer's e-mail address. And this was what I complained about in my tweet to Power. They have recently fixed this and removed the e-mail address for the data returned.
The second problem is like in this case. Okay, so the company removes the biggest issue, but have you agreed to that it should be possible to look up your name and address using your e-mail address or phone number? What if you have an unlisted phone number? What if you have an unlisted address?
This case is a classic example of server endpoints returning more data than what is shown to the user - and this time the data really shouldn't be there.
I don't like when it takes more than 3 months to fix something that seemingly is so easy to fix. And I'm not sure they would have fixed this at all if I hadn't been following them up and if I hadn't had this blog. At least now the users' data is more secure.