Via a tool on the website of webshop Azerty were the address and e-mail addresses of all customers accessible. Also was in to see what they have ordered. With a scraper, had a malicious a database with all the addresses can build.
With the help of the tool were the address and e-mail addresses of all of Azerty customers visible and was in to see what someone had ordered. It was going to be the data of over 750,000 orders. The data were accessible through a management interface that do not have a username and password, was secure, but accessible to the public.
An employee of Azerty posted a link to the management interface, probably accidentally, to Azerty customer Sebastien Veeke. Through that link was only his own order, but by the id in the url to adjust were also other orders, visible. “I had an automated script can make all the order information it collects,” said Veeke. By with the url to play other parts of the administration interface can be found, such as a statistics page which was to see how often products are sold.
Veeke had Azerty earlier on Tuesday on the issue pointed out. “An employee of Azerty said and is informed and that the problem would be solved,” said Veeke. “But he bagatelliseerde the problem.” A few hours after Azerty by Tweakers on the security vulnerability was pointed out, was the tool offline.
To Wierik denies that the company the vulnerability dismiss. He could not explain why the tool is not in with a user name and password, was secure. “But I would like to stress that these links are not to each and every customer has been sent.” According to the Azerty-director, problem has but a short time left open, but according to informer Veeke was the middle of June already possible to the vulnerable url to visit.
Update, August 6: Azerty has an additional response is provided. “We have the situation internally reviewed and have come to the conclusion that it indeed was possible through a specific url from the beheerportaal customer to see,” says Azerty-director Jeroen te Wierik. “We are now of our first courage returned, and, despite my earlier threat, I will of course no-one to dismiss. Our research has shown that there is indeed a message was received about this problem, but this has not been adequately picked up. To do this, we want to sincerely apologize. We take extra measures to ensure that such reports are internally well be arrested.”
Comments
(157)