I’ve just orderered some clothes from an unnamed upmarket fashion retailer, and created an account with them. When I ordered, a link to track my order was emailed to me – so far, so normal.
The link has the following structure:”https://*retailer*.com//……?orderEmail=*myemailaddress*&orderID=*myorderid*
When opening that link, you can see my address, the item I ordered, my phone number, and my payment method (not the full card number, the last four digits). You don’t need to authenticate at all, to be able to access the link.
I tested sending the link to somebody I know, and, upon opening the link, they were able to see the same details as me – phone number, address, etc.
Am I right in thinking this is a pretty major vulnerability, and potentially a breach of GDPR? If you obtained a list of emails of customers of this retailer (probably quite easy to do), and sequentially went through order numbers, you could farm addresses and phone numbers of people who have money to burn, and potentially sell this information on.