Wednesday 22 January 2014

Net Price Direct exposing my personal data


Most web application security testers will agree that after several years of experience you start to develop an incredible "sixth sense" which allows you to estimate how secure (or insecure!) a website is likely to be, merely by looking at the way the site behaves during normal use.  I'm talking about entirely passive observation of the way the site reacts, without even looking at any of the raw requests and responses that are sent to and from the application server, let alone attempting to manipulate them.

This sixth sense unavoidably gets tingled outside of the work place. We all buy things on the internet as private consumers, and that is certainly one such place where I've noticed quite a few suspicious things lately. However, nothing has been quite so glaringly obvious as the problem I stumbled upon tonight!

A few weeks ago, I bought some Lego from an Amazon.co.uk marketplace seller called Net Price Direct (a trade name of Hyde's Toys & Gift Ltd). My order arrived promptly and in excellent condition. I was very happy. Coincidentally, I also happened to buy the same item from their eBay store. This also arrived promptly and in good condition.

Tonight, I visited the seller's own website at www.netpricedirect.co.uk, and I was pleasantly surprised to see that the delivery costs were slightly better if you bought directly from them.  So I added a few items to my basket and went to the checkout (did I mention I like Lego quite a bit?).

As I had never used the site before - but had made previous purchases via Amazon and eBay - I entered my email address into this part of the login page:


All I submitted was my email address. To my disbelief, I was then taken to the following form, which was automatically populated with the personal details I had provided when placing previous orders via Amazon and eBay:


Crazy! All I did was enter my email address, and the website went ahead and gave out my name, address and telephone number.

I tried this from a different browser which had never visited the site before, and the same thing happened. Presumably, if someone has bought anything from their eBay or Amazon stores, but not yet registered an account on www.netpricedirect.co.uk, then their personal details might also be up for grabs by anyone who knows their email address. After an account has been registered, this vulnerability can no longer be exploited.

This seems like a rather daft flaw in the application logic. This amount of personal data should never be handed out to an unauthenticated party who knows nothing more than an affected user's email address.

But wait, what's that thing hovering in the bottom-right corner of every page on www.netpricedirect.co.uk? That's right, it's a Trusted Shops seal, which verifies the site as a "secure online shop"...