Strawberrynet says it’s convenient for customers, security chaps say it’s stupidly convenient for crims
Popular online cosmetics site Strawberrynet has asked customers if a function that allows anyone to retrieve its customers names, billing addresses, and phone numbers with nothing more than an email address is a bug or a feature.
The bug was first disclosed almost exactly a decade ago and resurfaced after security man Troy Hunt reported the flaw to the company last Thursday.
The feature means customers are able to checkout quickly by just putting their email address into a text entry box.
Doing so returns personal information in cleartext, if the email address entered is already in Strawberrynet’s records.
Hunt says the company responded to the disclosure, telling one unnamed researcher who privately reported the flaw that email addresses were sufficiently secure and that a password was not required.
The mail explains the company’s stance as follows:
Please be advised that in surveys we have completed, a huge majority of customers like our system with no password. Using your email address as your password is sufficient security, and in addition we never keep your payment details on our website or in our computers.
Hunt calls the flaw “unfathomably reckless” and points to the most obvious attack scenario in which the email-entry field can be subject to brute force attacks and pumped with a huge number of email addresses available in public leak databases.
Such an attack would return personal information against those records.
Enter a matching email address, get free dox.
The company cited its use of SSL and compliance with the payment card industry data security standard, both of which would do nothing to stop a brute force attack.
“This is just unfathomably reckless, stupid and shows a total disregard for customer privacy,” Hunt says.
“Someone could hypothetically feed in a big list of email addresses and extract the personal data of what would surely be at least tens of thousands of customers.
“Names, addresses, phone numbers all retrievable with nothing more than an email address.”
@Strawberrynet should be other way – if you were UK based, you’d be getting a colonoscopy from the ICO under the Data Protection Act.
— Richard Price (@RichardPrice) August 19, 2016
The company shouted out on Twitter, where it asked customers whether they preferred security or convenience.
“We hear your concerns about data leakage.
To address this, we welcome you to email firstname.lastname@example.org to request your address be hidden.”
The question drew expectant forehead-slapping tweets from the tech sector chastising the company for trashing good security practice. ®
Sponsored: 2016 Cyberthreat defense report