MediaMarkt discloses personal data of its subscribers
I want to immediately note that I decided to write this post in the hope of drawing attention to this problem, because Technical support, which I contacted 3 days ago, has not yet closed this hole.
Not so long ago, MediaMarkt held a wide advertising campaign in the media, in which everyone was invited to participate in an essay contest, the winner of which would get a chance to take any goods out of MediaMarkt for free over a certain time period. One of the prerequisites of the competition was a subscription to a periodic newsletter on the company's website. For this it was necessary to fill in a small profile.
I decided to participate in the contest and created my account on the site, subscribed to the newsletter.
')
After another letter from MediaMarkt, I decided that I didn’t want to see this advertising tinsel in my mailbox and decided to unsubscribe.
At the very end of the letter, I saw the link “If you no longer want to receive Media Markt offers, click here .”
I clicked on the link and was very surprised, because A profile editing page with foreign data has opened (First Name, Last Name, Email, Date of Birth, Mobile and Home Phones and the nearest MediaMarkt store). Clicked on the link again. Opened the same page with the same alien data.
I found a feedback form on the site, described the problem and received an answer:
Today I decided to once again click on the unsubscribe link in this letter. And the profile editing page opened again, but only with other alien data.
Apparently, the unique user hashes that are used in the link to identify the subscriber change periodically and the corresponding “hash user” changes with them.
I can offer one of thousands of uses for this hole:
1. We register a pack (for example, a hundred) of accounts on the site and subscribe to the newsletter. All mailboxes are set up for shipment to one common box.
2. We are waiting for distribution, once a day we follow the links of the formal reply from each letter and collect other people's personal data. In our case, this is approximately one hundred user cards per day, containing the full name, date of birth, email, mobile and home phones, and even the approximate geographical location at the specified MediaMarkt store.
3. After collecting the required amount of personal data, we use the database for personal gain: spam, sms-spam, targeted spam (for example, “A special offer for your birthday”), sales, sabotage (placing ads on behalf of other people), dating, fraud , hacking accounts in social networks, mail users and many, many different options, limited only by the imagination of the attacker.
As you can see, the hole is not just big, but VERY big. To close it, it was enough to add a redirect to the login page for users who clicked the unsubscribe link as a temporary patch so that the user is 100% logged in to his personal account.
And at this time to deal with broken hashes.
However, there was no time for it in 3 days with “specialists of the Central Office”.
I believe that such connivance is not permissible for such a large international company.
Everywhere and everybody, sooner or later, mistakes happen, but the professionalism of employees is determined by the ability to recognize, correct, and prevent their recurrence in time.
I hope that this post will serve as a good kick and will force the correction of this situation.
UPD:
I see that many consider 3 days to be insufficient to correct such a hole.
I do not think that 3 days (even if 2 of them are days off) is not enough to correct such a mistake.
I judge by myself and my acquaintances: if such a significant hole is found, the authorities would lift all programmers to their ears, no matter - the output / not output. For 15-30 minutes the patch would have been delivered, and already the investigation in the reasons and the correction of the error were left until Monday. At least until Monday, no one from casual users would have access to other people's personal data.
I think this is normal.
I understand that bureaucratic delays within the company could delay the transfer of information to the final programmers. But this is no excuse for such a hole. If so, then let the company review the policy of promptly notifying developers of serious problems, because this should not become a problem for the end users of the company's website, whose personal data were suddenly available to outsiders.
UPD2:
Apparently, the hole was closed. The unsubscribe link opens an empty form without data. Apparently, because I deleted my account, not wanting to disclose my information to third parties. I’ll clarify that the form with someone else’s data was opened in the morning, the account at that time was already deleted.
Prehistory
Not so long ago, MediaMarkt held a wide advertising campaign in the media, in which everyone was invited to participate in an essay contest, the winner of which would get a chance to take any goods out of MediaMarkt for free over a certain time period. One of the prerequisites of the competition was a subscription to a periodic newsletter on the company's website. For this it was necessary to fill in a small profile.
I decided to participate in the contest and created my account on the site, subscribed to the newsletter.
')
Problem
After another letter from MediaMarkt, I decided that I didn’t want to see this advertising tinsel in my mailbox and decided to unsubscribe.
At the very end of the letter, I saw the link “If you no longer want to receive Media Markt offers, click here .”
I clicked on the link and was very surprised, because A profile editing page with foreign data has opened (First Name, Last Name, Email, Date of Birth, Mobile and Home Phones and the nearest MediaMarkt store). Clicked on the link again. Opened the same page with the same alien data.
I found a feedback form on the site, described the problem and received an answer:
Hello,
Thank you for not leaving this case without attention, taking the time to write to us.
Your information has been transferred to the specialists of the Central Office who are engaged in the development of the site.
Once again we bring you sincere apologies and we hope that this case will not affect your decision to visit our store in the future.
Problem development
Today I decided to once again click on the unsubscribe link in this letter. And the profile editing page opened again, but only with other alien data.
Apparently, the unique user hashes that are used in the link to identify the subscriber change periodically and the corresponding “hash user” changes with them.
Potential threat
I can offer one of thousands of uses for this hole:
1. We register a pack (for example, a hundred) of accounts on the site and subscribe to the newsletter. All mailboxes are set up for shipment to one common box.
2. We are waiting for distribution, once a day we follow the links of the formal reply from each letter and collect other people's personal data. In our case, this is approximately one hundred user cards per day, containing the full name, date of birth, email, mobile and home phones, and even the approximate geographical location at the specified MediaMarkt store.
3. After collecting the required amount of personal data, we use the database for personal gain: spam, sms-spam, targeted spam (for example, “A special offer for your birthday”), sales, sabotage (placing ads on behalf of other people), dating, fraud , hacking accounts in social networks, mail users and many, many different options, limited only by the imagination of the attacker.
As you can see, the hole is not just big, but VERY big. To close it, it was enough to add a redirect to the login page for users who clicked the unsubscribe link as a temporary patch so that the user is 100% logged in to his personal account.
And at this time to deal with broken hashes.
However, there was no time for it in 3 days with “specialists of the Central Office”.
I believe that such connivance is not permissible for such a large international company.
Everywhere and everybody, sooner or later, mistakes happen, but the professionalism of employees is determined by the ability to recognize, correct, and prevent their recurrence in time.
I hope that this post will serve as a good kick and will force the correction of this situation.
UPD:
I see that many consider 3 days to be insufficient to correct such a hole.
I do not think that 3 days (even if 2 of them are days off) is not enough to correct such a mistake.
I judge by myself and my acquaintances: if such a significant hole is found, the authorities would lift all programmers to their ears, no matter - the output / not output. For 15-30 minutes the patch would have been delivered, and already the investigation in the reasons and the correction of the error were left until Monday. At least until Monday, no one from casual users would have access to other people's personal data.
I think this is normal.
I understand that bureaucratic delays within the company could delay the transfer of information to the final programmers. But this is no excuse for such a hole. If so, then let the company review the policy of promptly notifying developers of serious problems, because this should not become a problem for the end users of the company's website, whose personal data were suddenly available to outsiders.
UPD2:
Apparently, the hole was closed. The unsubscribe link opens an empty form without data. Apparently, because I deleted my account, not wanting to disclose my information to third parties. I’ll clarify that the form with someone else’s data was opened in the morning, the account at that time was already deleted.
Source: https://habr.com/ru/post/185914/
All Articles