Wednesday, 22 January 2014

Net Price Direct exposing my personal data


Most web application security testers will agree that after several years of experience you start to develop an incredible "sixth sense" which allows you to estimate how secure (or insecure!) a website is likely to be, merely by looking at the way the site behaves during normal use.  I'm talking about entirely passive observation of the way the site reacts, without even looking at any of the raw requests and responses that are sent to and from the application server, let alone attempting to manipulate them.

This sixth sense unavoidably gets tingled outside of the work place. We all buy things on the internet as private consumers, and that is certainly one such place where I've noticed quite a few suspicious things lately. However, nothing has been quite so glaringly obvious as the problem I stumbled upon tonight!

A few weeks ago, I bought some Lego from an Amazon.co.uk marketplace seller called Net Price Direct (a trade name of Hyde's Toys & Gift Ltd). My order arrived promptly and in excellent condition. I was very happy. Coincidentally, I also happened to buy the same item from their eBay store. This also arrived promptly and in good condition.

Tonight, I visited the seller's own website at www.netpricedirect.co.uk, and I was pleasantly surprised to see that the delivery costs were slightly better if you bought directly from them.  So I added a few items to my basket and went to the checkout (did I mention I like Lego quite a bit?).

As I had never used the site before - but had made previous purchases via Amazon and eBay - I entered my email address into this part of the login page:


All I submitted was my email address. To my disbelief, I was then taken to the following form, which was automatically populated with the personal details I had provided when placing previous orders via Amazon and eBay:


Crazy! All I did was enter my email address, and the website went ahead and gave out my name, address and telephone number.

I tried this from a different browser which had never visited the site before, and the same thing happened. Presumably, if someone has bought anything from their eBay or Amazon stores, but not yet registered an account on www.netpricedirect.co.uk, then their personal details might also be up for grabs by anyone who knows their email address. After an account has been registered, this vulnerability can no longer be exploited.

This seems like a rather daft flaw in the application logic. This amount of personal data should never be handed out to an unauthenticated party who knows nothing more than an affected user's email address.

But wait, what's that thing hovering in the bottom-right corner of every page on www.netpricedirect.co.uk? That's right, it's a Trusted Shops seal, which verifies the site as a "secure online shop"...



5 comments:

  1. I stumbled upon this topic via Google. Very interesting view on subject. Thanks for sharing.

    ReplyDelete
  2. thanks for this information. I thought that I will find more info about data room due diligence in this article. But nevertheless, I like your blog. ps. followed.

    ReplyDelete

  3. To effectively get the Palo Alto Networks Certified Network Security Engineer 6 affirmation, the applicant ought to pass the PCNSE6 Exam Questions, which is one of the prerequisites to have the qualification, the possibility for Networks Certified Network Security Engineer 6 ought to get the best and reasonable exam material like practice exams, PCNSE6 Brain Dumps and pdf. "http://www.gurufocus.com/news/455893/is-palo-altos-recent-drop-an-opportunity-to-buy
    "

    ReplyDelete
  4. Công ty vận chuyển hàng hóa chúng tôi chuyên cung cấp các dịch vụ liên quan đến vận chuyển hàng hóa. Có thể kể đến như dịch vụ chuyển hàng trong nước, ký gửi hàng hóa, dịch vụ chuyển phát nhanh trong nước giá rẻ, ...Những dịch vụ chúng tôi cung cấp đã được sự ủng hộ nhiệt tình của quý khách hàng. Hiện nay chúng tôi không ngừng cải tiến chất lượng dịch vụ để đem lại cho quý khách trải nghiệm tốt hơn.

    ReplyDelete
  5. mặc dầu còn hơn 1 tháng nữa mới đến Tết Nguyên đán 2017 nhưng tại Hà Nội, phổ biến cây đào bích, đào phai đã sớm khoe sắc trên gian phoi quan ao gia re.

    Vừa tậu cành đào phai tại chợ hoa lăng xê, bà Nguyễn Thị Liên (51 tuổi, P.Bạch Mai, Q.Hai Bà Trưng) chia sẻ: “Tôi tậu cành đào phai giá 160.000 đồng. Năm nào vợ chồng tôi cũng đánh xe lên chợ này tậu cành đào về đón rằm tháng Chạp và Tết Dương lịch”.

    ReplyDelete