News is breaking that a leading retailer has seen a website glitch put the privacy of customers’ personal data at risk. This time, Card Factory, a popular UK-based greeting card business, has been storing customers’ data in an insecure way, letting the public access their photos with a basic URL trick, specifically through an ‘insecure direct object reference.’ Bryan Becker, Application Security Researcher, WhiteHat Security, commented on the incident.
Bryan Becker, Application Security Researcher at WhiteHat Security:
“The Card Factory security incident is an important reminder that our personal information is constantly at risk. Unfortunately, Card Factory’s response to the personal data breach shows they are out of touch with the realities of modern software security and failed to follow Secure Coding Principles. The first steps any company should take to start a security program (in any order) are to: a) Set up some sort of auditing, testing, or scanning, b) Implement a responsible disclosure program: an email linked on their website (ex.[email protected]) accompanied with a description of the policy. To go further, companies can include a PGP key so researchers can encrypt sensitive data they may have found when reporting.
In Card Factory’s case, they allegedly had no means for responsible disclosure, had no testing and threatened the researcher who provided them with free consulting. The question must be raised: Did Card Factory notify all their customers that their private photos were leaked?
To quote their response: “…the Internet is not a secure medium and we cannot guarantee the security of any data you disclose online. You accept the inherent security risks of providing information and dealing online over the Internet and will not hold us responsible for any breach of security unless this is due to our negligence or wilful (sic) default.” Responsible companies are actively making the internet a more secure place, day by day, and responsible security researchers are actively helping progress that goal. Companies that blame others for their security failings, and actively repress when their users’ data has been breached will not survive long in today’s more vigilant, increasingly regulated landscape.”