News is breaking that a leading retailer has seen a website glitch put the privacy of customers’ personal data at risk. This time, Card Factory, a popular UK-based greeting card business, has been storing customers’ data in an insecure way, letting the public access their photos with a basic URL trick, specifically through an ‘insecure direct object reference.’ Bryan Becker, Application Security Researcher, WhiteHat Security, commented on the incident.
Bryan Becker, Application Security Researcher at WhiteHat Security:
In Card Factory’s case, they allegedly had no means for responsible disclosure, had no testing and threatened the researcher who provided them with free consulting. The question must be raised: Did Card Factory notify all their customers that their private photos were leaked?
To quote their response: “…the Internet is not a secure medium and we cannot guarantee the security of any data you disclose online. You accept the inherent security risks of providing information and dealing online over the Internet and will not hold us responsible for any breach of security unless this is due to our negligence or wilful (sic) default.” Responsible companies are actively making the internet a more secure place, day by day, and responsible security researchers are actively helping progress that goal. Companies that blame others for their security failings, and actively repress when their users’ data has been breached will not survive long in today’s more vigilant, increasingly regulated landscape.”
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.