Once again, a website glitch at a retailer has put the security and privacy of customers’ data at risk. This time, it is a UK-based gift store who inadvertently became a victim of a cybersecurity error. Reportedly, the UK store Card Factory exposed customers photos to the public due to an error in its website.
Card Factory Exposed Customers Photos
As disclosed by Mashable, a popular gift store Card Factory exposed customers photos to anyone due to a flaw in its website. Researcher, Iain Row, discovered the flaw while purchasing a birthday card from the site. He found something strange in the location of the photograph he uploaded. Out of curiosity, he dug further and discovered that he could access any user’s photos.
While the report skipped over any technical details regarding the procedure for exploit, Row, however, gave some hints regarding the severity of the bug via his comments. As stated in his email to Mashable,
“When I realised that you could (…) display any other user’s photos, I was stunned. I did some further testing and confirmed that a) you can link to the images from anywhere, and b) there are no restrictions on downloads, you can download thousands if you want and the server never kicks you out.”
Mashable stated that the exploit involved a simple URL trick, which they verified themselves too. They also quoted Luka Kladaric, founder of Sekura Collective and a software engineer, who thinks of it as ‘unacceptable’.
“This type of vulnerability is called ‘insecure direct object reference’. It is fairly common and totally unacceptable.”
The Bug Finally Patched
According to Mashable, the site owners got news of the error on October 8, 2018. But, they paid no attention to it. In fact, they threatened the researcher to remove whatever he has got from the site and to stop conducting such testing. They further pushed him not to disclose the matter publicly.
However, Row reported the matter to Mashable after which the incident surfaced online. Until the time of disclosure, Row confirmed that the glitch remained there on the site. And, the retailers continued their sales regardless. However, after around a week, the company fixed the matter and informed Mashable,
“The trust and privacy of our customers is of utmost importance to us. After recently being made aware of this issue, we have applied a security update to our website to ensure it cannot happen again.”
Such events where the vendors inadvertently leak customers’ data aren’t new. We have some recent examples, such as GovPayNow that leaked 14 million records, or the telecommunication firm Telstra that exposed 66,000 records. What is different is the attitude of threatening the researcher and urging him not to conduct further testing.