UK online used goods bazaar Gumtree exposed its users’ home addresses in the source code of its webpages, and then tried to squirm out of a bug bounty after infosec bods alerted it to the flaw.
British company Pen Test Partners (PTP) spotted the data leakage, which meant anyone could view a Gumtree user’s name and location (either postcode or GPS coordinates) by pressing F12 in their web browser.
In both Firefox and Chrome, F12 opens the “view page source” developer tools screen, showing the code that generates the webpage you see. This meant that anyone could view the precise location of any of the site’s 1.7 million monthly sellers.
PTP claimed it encountered a brick wall of indifference in its first attempts to alert Gumtree to the data breach.
The bug bounty policy specified €500-€5,000, PTP added, and “after the issue was fixed, [it was] informed that no reward was payable because – ‘This is a Responsible Disclosure report, meaning that receiving a reward is a bonus in itself.'”
In a blog post about the kerfuffle, a PTP rsearcher said: “After I queried which of their rules I’d broken on responsible disclosure, they changed their mind and paid the minimum.”
The post added:
PTP said that every single ad on Gumtree, which at its lowest tier is free to use, contains the seller’s postcode or GPS coordinates – “even if the seller requested the map of their location to be hidden.”
The firm also found an insecure direct object reference vuln (IDOR) affected one of Gumtree’s APIs, used to power its iOS app. The IDOR allowed users’ full names to be read off at will “and didn’t require any authentication.”
In a statement Gumtree told The Register: “We were made aware by a user of a security issue affecting our website source code in November 2021. This was resolved within hours of it being brought to our attention. After becoming aware of the above, we were subsequently notified of a further issue with our API for iOS devices. This has also been resolved.”
Gumtree said it had informed the Information Commissioner’s Office and “planned to monitor the issue”, while adding: “We take the privacy of our users very seriously and we are sorry this incident occurred.”
It didn’t answer The Register‘s question of whether it had told users that their name and location information had been exposed.
IDORs have led to trouble in the past for internet-facing businesses, including one “female focused” dating app that accidentally leaked users’ data – and reacted rather badly to a clunky disclosure attempt.
Earlier this year an American politician demanded criminal prosecution of a journalist who noticed that pressing F12 while viewing a local state education board’s website revealed quite a lot of personal data of teachers. ®