Wednesday 22 January 2014

Net Price Direct exposing my personal data


Most web application security testers will agree that after several years of experience you start to develop an incredible "sixth sense" which allows you to estimate how secure (or insecure!) a website is likely to be, merely by looking at the way the site behaves during normal use.  I'm talking about entirely passive observation of the way the site reacts, without even looking at any of the raw requests and responses that are sent to and from the application server, let alone attempting to manipulate them.

This sixth sense unavoidably gets tingled outside of the work place. We all buy things on the internet as private consumers, and that is certainly one such place where I've noticed quite a few suspicious things lately. However, nothing has been quite so glaringly obvious as the problem I stumbled upon tonight!

A few weeks ago, I bought some Lego from an Amazon.co.uk marketplace seller called Net Price Direct (a trade name of Hyde's Toys & Gift Ltd). My order arrived promptly and in excellent condition. I was very happy. Coincidentally, I also happened to buy the same item from their eBay store. This also arrived promptly and in good condition.

Tonight, I visited the seller's own website at www.netpricedirect.co.uk, and I was pleasantly surprised to see that the delivery costs were slightly better if you bought directly from them.  So I added a few items to my basket and went to the checkout (did I mention I like Lego quite a bit?).

As I had never used the site before - but had made previous purchases via Amazon and eBay - I entered my email address into this part of the login page:


All I submitted was my email address. To my disbelief, I was then taken to the following form, which was automatically populated with the personal details I had provided when placing previous orders via Amazon and eBay:


Crazy! All I did was enter my email address, and the website went ahead and gave out my name, address and telephone number.

I tried this from a different browser which had never visited the site before, and the same thing happened. Presumably, if someone has bought anything from their eBay or Amazon stores, but not yet registered an account on www.netpricedirect.co.uk, then their personal details might also be up for grabs by anyone who knows their email address. After an account has been registered, this vulnerability can no longer be exploited.

This seems like a rather daft flaw in the application logic. This amount of personal data should never be handed out to an unauthenticated party who knows nothing more than an affected user's email address.

But wait, what's that thing hovering in the bottom-right corner of every page on www.netpricedirect.co.uk? That's right, it's a Trusted Shops seal, which verifies the site as a "secure online shop"...



58 comments:

  1. I stumbled upon this topic via Google. Very interesting view on subject. Thanks for sharing.

    ReplyDelete
  2. thanks for this information. I thought that I will find more info about data room due diligence in this article. But nevertheless, I like your blog. ps. followed.

    ReplyDelete

  3. To effectively get the Palo Alto Networks Certified Network Security Engineer 6 affirmation, the applicant ought to pass the PCNSE6 Exam Questions, which is one of the prerequisites to have the qualification, the possibility for Networks Certified Network Security Engineer 6 ought to get the best and reasonable exam material like practice exams, PCNSE6 Brain Dumps and pdf. "http://www.gurufocus.com/news/455893/is-palo-altos-recent-drop-an-opportunity-to-buy
    "

    ReplyDelete
  4. Công ty vận chuyển hàng hóa chúng tôi chuyên cung cấp các dịch vụ liên quan đến vận chuyển hàng hóa. Có thể kể đến như dịch vụ chuyển hàng trong nước, ký gửi hàng hóa, dịch vụ chuyển phát nhanh trong nước giá rẻ, ...Những dịch vụ chúng tôi cung cấp đã được sự ủng hộ nhiệt tình của quý khách hàng. Hiện nay chúng tôi không ngừng cải tiến chất lượng dịch vụ để đem lại cho quý khách trải nghiệm tốt hơn.

    ReplyDelete
  5. mặc dầu còn hơn 1 tháng nữa mới đến Tết Nguyên đán 2017 nhưng tại Hà Nội, phổ biến cây đào bích, đào phai đã sớm khoe sắc trên gian phoi quan ao gia re.

    Vừa tậu cành đào phai tại chợ hoa lăng xê, bà Nguyễn Thị Liên (51 tuổi, P.Bạch Mai, Q.Hai Bà Trưng) chia sẻ: “Tôi tậu cành đào phai giá 160.000 đồng. Năm nào vợ chồng tôi cũng đánh xe lên chợ này tậu cành đào về đón rằm tháng Chạp và Tết Dương lịch”.

    ReplyDelete
  6. Để sử dụng được Internet tốc độ cao, ngoài việc biết cú pháp đăng ký 4G Vinaphone người dùng phải có thiết bị hỗ trợ và sở hữu sim 4G của Vinaphone.

    ReplyDelete
  7. Much obliged to you for your post, I search for such article along time, today i discover it at long last. this post give me loads of exhort it is exceptionally helpful for me
    siber güvenlik

    ReplyDelete
  8. As can be normal, the price of a specific item straightforwardly impacts on the measure of interest it gets from customers. price info

    ReplyDelete
  9. Excellent doc! Love suitable for location of which with show! It truly is only 1 beneficial write-up. Love while using the cherished truth together with ability you have and for that reason displayed in this posting. mcb personal loan - meezan bank car financing

    ReplyDelete
  10. If you somehow happened to take a gander at any ventures it would be additionally be a pertinent inquiry to pose to how quick your cash will come back to you. Make money

    ReplyDelete
  11. This type of message always inspiring and I prefer to read quality content, so happy to find good place to many here in the post, the writing is just great, thanks for the post.car leasing singapore

    ReplyDelete
  12. The complete blogs are really inconceivable and definitely everyone will share this information.
    bitcoin blue print

    ReplyDelete
  13. Personally I think overjoyed I discovered the blogs.

    ReplyDelete
  14. it would be additionally be a pertinent inquiry to pose to how quick your cash will come back to you Sell Car Number Plate

    ReplyDelete
  15. Our mission was to offer 'everyone' the best price upfront and a convenient and easy shopping experience. stucco repair denver

    ReplyDelete
  16. Best Software Training Institute in Delhi Madrid Software offers strategic training paths for the certification skills required to support today's technologies, while offering a Business Analytic course, Data science course in Delhi, Career in AI and Digital Marketing Course for clients looking to implement new/upgraded business applications.

    ReplyDelete
  17. I appreciate your efforts which you have put into this article. Genuinely it is a useful article to increase our knowledge. Thanks for share an article like this.Airdrop Crypto Coin

    ReplyDelete
  18. I'm quite impressed with your work. Please continue to share this type of material with us.

    ReplyDelete
  19. Such a very useful article. Very interesting to read this article.I would like to thank you for the efforts you had made for writing this awesome article.data analytics course in lucknow

    ReplyDelete
  20. If more people that write articles really concerned themselves with writing great content like you, more readers would be interested in their writings. Thank you for caring about your content. เว็บบอล ufabet

    ReplyDelete
  21. Most of you are thinking that the best approach to defend is at the network or code-level, and definitely that is one chunk of puzzle. Cybersecurity Bachelor's Degree Program in the United States

    ReplyDelete
  22. Digital Marketing Course

    https://www.startupicons.in/blogs/

    ReplyDelete
  23. I need to concede. Genuinely seldom would it be advisable for me I experience a blog that is both educative and engaging, and undoubtedly, Really. Much obliged for firing this up. I simply needed to illuminate you that assuming you plan on visiting Turkey, getting an e-visa for Turkey would be the most ideal choice because of its simple cycle, lower cost and more limited holding up time get more

    ReplyDelete
  24. I've seen articles on similar subject ordinarily, yet your composing is the easiest and most clear of them. I will allude to Klein Stock Law

    ReplyDelete
  25. I've been looking for this information for a long time and have now found it on your fantastic website next page

    ReplyDelete
  26. Winning is nice, and getting paid out in time and in a protected method is even better. Our payout guide will inform you {how to|the method to|tips on how to} spot casinos with fast payouts. Our 25-step evaluate course of is rigorously designed to ensure every casino we recommend is of the 우리카지노 highest high quality. We take a look at|have a look at} information safety and regulation, bonus phrases and circumstances, recreation selection and progressive jackpots.

    ReplyDelete
  27. ITR-4 Form ITR-4 Form is the Income Tax Return form for taxpayers who chose a presumptive income scheme under Section 44ADA, Section 44AD, and Section 44AE of the Income Tax Act.

    ReplyDelete
  28. EPF is an acronym for Employees’ Provident Fund. A Composite Claim Form is launched by EPFO as a consolidated settlement of claim form to initiate an EPF withdrawal. To know more, click here

    ReplyDelete
  29. Informative article I concur with this. Your blog is quite attractive. Thank you for allowing me to view this material; it's truly sound. This article has the potential to inspire me greatly.
    truck accidents lawyers

    ReplyDelete
  30. This is a nice blog, Well-written. Thanks for this. Learn more

    ReplyDelete
  31. Their negligence in safeguarding customer information raises alarming concerns about data security, urging for a thorough reevaluation of their practices to prevent further compromises.
    truck accidents lawyer

    ReplyDelete
  32. Net Price Direct exposing my personal data raises serious concerns about data privacy and security. The incident highlights the need for stringent measures to protect personal information from unauthorized access. This breach underscores the importance of holding companies accountable for safeguarding customer data and maintaining trust in the digital age.
    trucking accidents

    ReplyDelete
  33. Fascinating read! Your insights are valuable and well-presented. I appreciate the effort you've put into sharing this information. It's clear you've done thorough research. This article broadened my understanding and left me eager for more.
    New Jersey Domestic Violence Law

    ReplyDelete
  34. The speaker acknowledges that the term "highseverity" is a broad term and lacks specific information or reviews as of September 2021. If the term is related to a specific product, service, or topic, they suggest providing more context or details to better understand the request and provide more relevant information or guidance regarding reviews or related information.Abogados de Accidentes de Camiones Comerciales

    ReplyDelete
  35. This comment has been removed by the author.

    ReplyDelete
  36. Net Price Direct's breach of privacy by revealing personal data is a serious issue, threatening individual security and eroding trust in the company's handling of sensitive information. Urgent measures, including a thorough investigation and robust security protocols, are needed to rectify the situation, emphasizing the importance of transparency and accountability in the digital age.
    Nueva York Divorcio Requisitos de Residencia

    ReplyDelete
  37. Online birthday cards are akin to a tapestry of love and friendship, intricately woven with heartfelt messages and shared memories. They embody the spirit of unity and solidarity, serving as a poignant reminder of the connections we've cultivated with others.

    ReplyDelete
  38. Thank you so much for this wonderful post and all the best for your future.

    ReplyDelete

  39. I am satisfied with the arrangement of your post.

    ReplyDelete
  40. You are really a talented person I have ever seen.

    ReplyDelete
  41. I am very enjoyed for this blog. Its an informative topic.

    ReplyDelete
  42. I am looking for some good blog sites for studying.

    ReplyDelete

  43. I love reading through and I believe this website got some genuinely utilitarian stuff on it!

    ReplyDelete
  44. There is perceptibly a lot to identify about this.

    ReplyDelete
  45. Net Price Direct has been accused of exposing personal data, raising privacy concerns and undermining trust. The company is calling for immediate action to rectify the breach and prevent further compromises. The impact of this breach is significant and requires a swift resolution to uphold user confidence. A thorough investigation and enhanced security measures are crucial for the affected individuals' peace of mind.Abogado de Crímenes Sexuales Nueva Jersey

    ReplyDelete
  46. Protecting personal data is paramount, and any exposure, like Net Price Direct's mishandling, raises concerns. Your privacy is non-negotiable, and such breaches demand immediate action. Safeguarding personal information is not just a right but a necessity in the digital age. Ensuring stringent security measures and transparency is crucial to prevent any unauthorized access or misuse of sensitive data. Companies must prioritize robust data protection protocols to uphold trust and respect individual privacy in every aspect of their operations.

    ReplyDelete
  47. Social repercussions are also a significant concern, as Sex Crime Defense Lawyersoffenders may experience strained relationships with family and friends, social isolation, and even harassment from their community. In some cases, they may be required to register as sex offenders, subjecting them to public scrutiny and limiting where they can live and work. The collateral consequences extend to restrictions on internet use, limitations on contact with minors, and mandatory counseling or therapy, adding further layers of intrusion into the individual's personal life.

    ReplyDelete
  48. Contact Net Price Direct:
    Reach out to Net Price Direct directly through their customer support channels. Explain the situation and express your concerns about the exposure of your personal data. They may be able to provide assistance or clarification.

    Review Privacy Policy:
    Check Net Price Direct's privacy policy to understand how they handle personal data. Ensure that your concerns align with their stated practices, and if there's a violation, bring it to their attention.

    Secure Your Accounts:
    If you believe your personal data is at risk, take measures to secure your accounts. Change passwords, enable two-factor authentication, and monitor your accounts for any suspicious activity. lawyer for bankruptcies

    ReplyDelete
  49. The author is unable to provide a specific review comment about the "decora-tus-macetas-etiquetas-vintage" content. To provide a better review, they need details about the content type, what was learned, its strengths and weaknesses, and the target audience. To write a good review comment, they should be specific, constructive, concise, and respectful. They are eager to hear more about the content and help write a great review comment.
    motorcycle accident attorneys

    ReplyDelete
  50. The creator can't give a particular survey remark about the "decora-tus-macetas-etiquetas-one of a kind" content. To give a superior survey, they need insights concerning the substance type, what was realized, its assets and shortcomings, and the interest group. emergency protective order virginia || virginia reckless driving attorney cost || abogado trafico petersburg va.

    ReplyDelete