Technology
This e-card site has a bug that lets anyone access user photos
Card Factory, a popular UK-based greeting card business, stores some of its customers’ data in an insecure way, letting anyone access their photos with an incredibly simple URL trick.
The site was notified about the issue on October 8 and hasn’t fixed it or alerted its customers about it in a week, Mashable has learned.
Iain Row, a website developer from Milton Keynes, told Mashable about the issue, which he’d discovered when he was buying a birthday card for his brother. He’d noticed that the location of the uploaded photo was stored in an insecure way, letting anyone access any other user’s photo as well.
We’ll skip the exact details of how to exploit the vulnerability (in the interests of user privacy), but it’s incredibly easy to do and can be carried out by anyone without any special tools or programming knowledge. We’ve independently verified that the exploit was still present on Monday morning, and we’ve have had another expert verify it as well.
“When I realised that you could (…) display any other user’s photos, I was stunned. I did some further testing and confirmed that a) you can link to the images from anywhere, and b) there are no restrictions on downloads, you can download thousands if you want and the server never kicks you out,” Row told us via e-mail.
“This type of vulnerability is called ‘insecure direct object reference.’ It’s fairly common and totally unacceptable,” Luka Kladaric, software engineer and founder of Sekura Collective, told Mashable after reviewing the issue.
Card Factory describes itself as “UK’s leading specialist retailer of greeting cards.” The company reported £185.3 million ($243.4 million) revenue in its 2018 half-year earnings report.
“This type of vulnerability is called ‘insecure direct object reference.’ It’s fairly common and totally unacceptable.”
Security vulnerabilities and bugs happen all the time. But how a company protects user data is crucial. We’ve seen Card Factory’s response to Row, and while the company did promise to fix it, it hasn’t done so in at least a week.
“They still haven’t taken down the images, and are still selling products which require private photo uploads, knowing that those photos are available to all,” Row told us.
In a letter, provided to us by Row, the company said they deem his actions to be well-meaning. But then they proceed to warn him that accessing user data in this manner would be a criminal offence.
In the letter they asked Row to confirm he had deleted all the data he’d obtained by probing for the vulnerability, as well as promise he would not do any further testing of the sort. The company also asked him not to publicly disclose any information about the vulnerability.
In its privacy policy document, Card Factory says it employs security measures to protect user information, but cannot be held responsible for “for any breach of security unless this is due to our negligence or wilful default.”
The relevant paragraph is below:
“We employ security measures to protect your information from access by unauthorised persons and against unlawful processing, accidental loss, destruction and damage. We will treat all of your information in strict confidence and we will endeavour to take all reasonable steps to keep your personal information secure once it has been transferred to our systems. However, the Internet is not a secure medium and we cannot guarantee the security of any data you disclose online. You accept the inherent security risks of providing information and dealing online over the Internet and will not hold us responsible for any breach of security unless this is due to our negligence or wilful default.”
“The trust and privacy of our customers is of upmost importance to us. After recently being made aware of this issue, we will be applying a security update to our website today, to ensure it cannot happen again,” the company told us.
“We have also spoken to The Information Commissioner’s Office regarding the matter, and they have confirmed that this was not a data breach and no personal data was compromised,” the company said.
Mashable has reached out to Card Factory for further comment.
!function(f,b,e,v,n,t,s){if(f.fbq)return;n=f.fbq=function(){n.callMethod?
n.callMethod.apply(n,arguments):n.queue.push(arguments)};if(!f._fbq)f._fbq=n;
n.push=n;n.loaded=!0;n.version=’2.0′;n.queue=[];t=b.createElement(e);t.async=!0;
t.src=v;s=b.getElementsByTagName(e)[0];s.parentNode.insertBefore(t,s)}(window,
document,’script’,’https://connect.facebook.net/en_US/fbevents.js’);
fbq(‘init’, ‘1453039084979896’);
if (window.mashKit) {
mashKit.gdpr.trackerFactory(function() {
fbq(‘track’, “PageView”);
}).render();
}
Xaira, an AI drug discovery startup, launches with a massive $1B, says it’s ‘ready’ to start developing drugs
Rabbit R1 hands-on review: Something is iffy about this
UK probes Amazon and Microsoft over AI partnerships with Mistral, Anthropic, and Inflection
‘Shōgun’ co-creators break down the finale: ‘It’s a story about death’
Tesla’s new growth plan is centered around mysterious cheaper models
Tesla’s in trouble. Is Elon Musk the problem?
Two widow founders launch DayNew, a social platform for people dealing with grief and trauma
Google Pixel 9 and Pixel 9 Pro: Release date, specs, new features, and other rumors
UnitedHealth says Change hackers stole health data on ‘substantial proportion of people in America’
Mood.camera is an iOS app that feels like using a retro analog camera
API startup Noname Security nears $500M deal to sell itself to Akamai
US think tank Heritage Foundation hit by cyberattack
NASA discovered bacteria that wouldn’t die. Now it’s boosting sunscreen.
How to watch ‘Argylle’: When and where is it streaming?
Tesla drops prices, Meta confirms Llama 3 release, and Apple allows emulators in the App Store
Tesla layoffs hit high performers, some departments slashed, sources say
TechCrunch Mobility: Cruise robotaxis return and Ford’s BlueCruise comes under scrutiny
Meta to close Threads in Turkey to comply with injunction prohibiting data-sharing with Instagram
Former top SpaceX exec Tom Ochinero sets up new VC firm, filings reveal
Where’s the AI in these ‘AI-powered’ products for your home?
Xaira, an AI drug discovery startup, launches with a massive $1B, says it’s ‘ready’ to start developing drugs
Rabbit R1 hands-on review: Something is iffy about this
UK probes Amazon and Microsoft over AI partnerships with Mistral, Anthropic, and Inflection
‘Shōgun’ co-creators break down the finale: ‘It’s a story about death’
Tesla’s new growth plan is centered around mysterious cheaper models
Tesla’s in trouble. Is Elon Musk the problem?
Two widow founders launch DayNew, a social platform for people dealing with grief and trauma
Google Pixel 9 and Pixel 9 Pro: Release date, specs, new features, and other rumors
UnitedHealth says Change hackers stole health data on ‘substantial proportion of people in America’
Mood.camera is an iOS app that feels like using a retro analog camera
-
Business6 days agoLangdock raises $3M with General Catalyst to help businesses avoid vendor lock-in with LLMs
-
Entertainment6 days agoWhat Robert Durst did: Everything to know ahead of ‘The Jinx: Part 2’
-
Entertainment5 days agoThis nova is on the verge of exploding. You could see it any day now.
-
Business5 days agoIndia’s election overshadowed by the rise of online misinformation
-
Business5 days agoThis camera trades pictures for AI poetry
-
Business6 days agoCesiumAstro claims former exec spilled trade secrets to upstart competitor AnySignal
-
Entertainment7 days agoDating culture has become selfish. How do we fix it?
-
Business7 days agoScreen Skinz raises $1.5 million seed to create custom screen protectors
