Wednesday, 22 January 2014

Net Price Direct exposing my personal data

Most web application security testers will agree that after several years of experience you start to develop an incredible "sixth sense" which allows you to estimate how secure (or insecure!) a website is likely to be, merely by looking at the way the site behaves during normal use.  I'm talking about entirely passive observation of the way the site reacts, without even looking at any of the raw requests and responses that are sent to and from the application server, let alone attempting to manipulate them.

This sixth sense unavoidably gets tingled outside of the work place. We all buy things on the internet as private consumers, and that is certainly one such place where I've noticed quite a few suspicious things lately. However, nothing has been quite so glaringly obvious as the problem I stumbled upon tonight!

A few weeks ago, I bought some Lego from an marketplace seller called Net Price Direct (a trade name of Hyde's Toys & Gift Ltd). My order arrived promptly and in excellent condition. I was very happy. Coincidentally, I also happened to buy the same item from their eBay store. This also arrived promptly and in good condition.

Tonight, I visited the seller's own website at, and I was pleasantly surprised to see that the delivery costs were slightly better if you bought directly from them.  So I added a few items to my basket and went to the checkout (did I mention I like Lego quite a bit?).

As I had never used the site before - but had made previous purchases via Amazon and eBay - I entered my email address into this part of the login page:

All I submitted was my email address. To my disbelief, I was then taken to the following form, which was automatically populated with the personal details I had provided when placing previous orders via Amazon and eBay:

Crazy! All I did was enter my email address, and the website went ahead and gave out my name, address and telephone number.

I tried this from a different browser which had never visited the site before, and the same thing happened. Presumably, if someone has bought anything from their eBay or Amazon stores, but not yet registered an account on, then their personal details might also be up for grabs by anyone who knows their email address. After an account has been registered, this vulnerability can no longer be exploited.

This seems like a rather daft flaw in the application logic. This amount of personal data should never be handed out to an unauthenticated party who knows nothing more than an affected user's email address.

But wait, what's that thing hovering in the bottom-right corner of every page on That's right, it's a Trusted Shops seal, which verifies the site as a "secure online shop"...


  1. I stumbled upon this topic via Google. Very interesting view on subject. Thanks for sharing.

  2. thanks for this information. I thought that I will find more info about data room due diligence in this article. But nevertheless, I like your blog. ps. followed.


  3. To effectively get the Palo Alto Networks Certified Network Security Engineer 6 affirmation, the applicant ought to pass the PCNSE6 Exam Questions, which is one of the prerequisites to have the qualification, the possibility for Networks Certified Network Security Engineer 6 ought to get the best and reasonable exam material like practice exams, PCNSE6 Brain Dumps and pdf. "

  4. Công ty vận chuyển hàng hóa chúng tôi chuyên cung cấp các dịch vụ liên quan đến vận chuyển hàng hóa. Có thể kể đến như dịch vụ chuyển hàng trong nước, ký gửi hàng hóa, dịch vụ chuyển phát nhanh trong nước giá rẻ, ...Những dịch vụ chúng tôi cung cấp đã được sự ủng hộ nhiệt tình của quý khách hàng. Hiện nay chúng tôi không ngừng cải tiến chất lượng dịch vụ để đem lại cho quý khách trải nghiệm tốt hơn.

  5. mặc dầu còn hơn 1 tháng nữa mới đến Tết Nguyên đán 2017 nhưng tại Hà Nội, phổ biến cây đào bích, đào phai đã sớm khoe sắc trên gian phoi quan ao gia re.

    Vừa tậu cành đào phai tại chợ hoa lăng xê, bà Nguyễn Thị Liên (51 tuổi, P.Bạch Mai, Q.Hai Bà Trưng) chia sẻ: “Tôi tậu cành đào phai giá 160.000 đồng. Năm nào vợ chồng tôi cũng đánh xe lên chợ này tậu cành đào về đón rằm tháng Chạp và Tết Dương lịch”.

  6. Để sử dụng được Internet tốc độ cao, ngoài việc biết cú pháp đăng ký 4G Vinaphone người dùng phải có thiết bị hỗ trợ và sở hữu sim 4G của Vinaphone.

  7. Much obliged to you for your post, I search for such article along time, today i discover it at long last. this post give me loads of exhort it is exceptionally helpful for me
    siber güvenlik

  8. As can be normal, the price of a specific item straightforwardly impacts on the measure of interest it gets from customers. price info

  9. This is very interesting, You’re a very skilled blogger. I have joined your rss feed and look forward to seeking more of your excellent post. Also, I have shared your website in my social networks!
    Thank you and best of luck.hotele , sprawdz rowniez hotele w górach

  10. Excellent doc! Love suitable for location of which with show! It truly is only 1 beneficial write-up. Love while using the cherished truth together with ability you have and for that reason displayed in this posting. mcb personal loan - meezan bank car financing

  11. If you somehow happened to take a gander at any ventures it would be additionally be a pertinent inquiry to pose to how quick your cash will come back to you. Make money

  12. This type of message always inspiring and I prefer to read quality content, so happy to find good place to many here in the post, the writing is just great, thanks for the leasing singapore