January 24, 2021

Is this a major security hole at an unnamed fashion retailer?

I’ve just orderered some clothes from an unnamed upmarket fashion retailer, and created an account with them. When I ordered, a link to track my order was emailed to me – so far, so normal.

The link has the following structure:”https://*retailer*.com//……?orderEmail=*myemailaddress*&orderID=*myorderid*

When opening that link, you can see my address, the item I ordered, my phone number, and my payment method (not the full card number, the last four digits). You don’t need to authenticate at all, to be able to access the link.

I tested sending the link to somebody I know, and, upon opening the link, they were able to see the same details as me – phone number, address, etc.

Am I right in thinking this is a pretty major vulnerability, and potentially a breach of GDPR? If you obtained a list of emails of customers of this retailer (probably quite easy to do), and sequentially went through order numbers, you could farm addresses and phone numbers of people who have money to burn, and potentially sell this information on.

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: By filling this form and submitting your commen, you acknowledge, agree and comply with our terms of service. In addition you acknowledge that you are willingly sharing your email address with AiOWikis and you might receive notification emails from AiOWikis for comment notifications. AiOWiksi guarantees that your email address WILL NOT be used for advertisement or email marketting purposes.

This site uses Akismet to reduce spam. Learn how your comment data is processed.