IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Gumtree site code made personal data of users and sellers publicly accessible

Anyone could scan the website's HTML code to reveal personal information belonging to users of the popular second-hand classified adverts website

Security researchers have discovered that data belonging to customers of online marketplace Gumtree may have been leaked through the site's HTML code.

User data such as GPS location, full names, email addresses, and postcodes of users and sellers, could all be accessed through the site's publicly accessible site code, according to researchers from Pen Test Partners.

Simply opening up the HTML code of the website using a tool like Google Chrome's 'inspect element' was all that was required to view the information in question.

Pen Test Partners said the site "was super leaky" and that every listing on Gumtree would include the seller's postcode or GPS coordinates, even if the seller requested their location to be hidden.

Gumtree's website operates on a first name basis - users and sellers only ever see each other's first names and use a private messaging service built into the site for communication, avoiding emails.

Related Resource

Protecting every edge to make hackers’ jobs harder, not yours

How to support and secure hybrid architectures

White square with whitepaper title on top of a background image of a building and pavementFree download

But email addresses were visible in the HTML code and user surnames could also be viewed by exploiting an insecure direct object references (IDOR) vulnerability. The vulnerability was found in an API used exclusively for iOS users, Pen Test Partners said, and one of its endpoints was vulnerable to a simple unauthenticated IDOR attack.

IDOR attacks can be carried out in a number of ways, but commonly attackers can cross-reference account IDs with a website's backend database and pull personal information using it. They can then modify the ID to pull data from other user accounts too.

Before publicly disclosing the leak this week, Pen Test Partners attempted to alert Gumtree via its third-party bug bounty programme. Run by Netherlands-based Zerocopter, the bug bounty programme required researchers to sign a non-disclosure agreement (NDA) as part of the submission, something the researchers were reluctant to do. Instead, they decided to alert Gumtree directly through its customer service team.

Gumtree has since fixed the issues causing the information leak and said it self-reported to the Information Commissioner's Office (ICO).

"People have the right to expect that organisations will handle their personal information securely and responsibly," said an ICO spokesperson to IT Pro. "If an individual has concerns about how their data has been handled, they should raise it with the organisation first, then report them to us if they are not satisfied with the response.

"Gumtree made us aware of an incident. After carefully reviewing the information, we decided no formal action was required and we provided data protection advice to the organisation."

Gumtree told IT Pro it remediated the issues raised by Pen Test Partners "within hours" of being made aware of them and all issues with the website, both with the iOS API and other backend code are fully resolved.

"In response to these issues, we reported the incident to the Information Commissioner’s Office (ICO) outlining our actions already taken, and planned, to monitor the issue," it said.

"These included fixing the vulnerabilities, updating our safety messaging on site and mitigating against future issues. We did not notify our users and are confident that our response to the reported issues was timely, appropriate and proportionate. We have communicated proactively with the regulator as these issues came to light and as we were taking remedial actions. We will take any appropriate further action should that be required."

Featured Resources

Join the 90% of enterprises accelerating to the cloud

Business transformation through digital modernisation

Free Download

Delivering on demand: Momentum builds toward flexible IT

A modern digital workplace strategy

Free download

Modernise the workforce experience

Actionable insights and an optimised experience for both IT and end users

Free Download

The digital workplace roadmap

A leader's guide to strategy and success

Free Download

Recommended

Ten ways to protect your company from the next big data breach
data breaches

Ten ways to protect your company from the next big data breach

18 Feb 2022
Pizza chain exposed 100,000 employees' Social Security numbers
data breaches

Pizza chain exposed 100,000 employees' Social Security numbers

19 Nov 2021
83% of critical infrastructure companies have experienced breaches in the last three years
cyber security

83% of critical infrastructure companies have experienced breaches in the last three years

11 Nov 2021
Identity Automation launches credential breach monitoring service
phishing

Identity Automation launches credential breach monitoring service

5 Oct 2021

Most Popular

Actively exploited server backdoor remains undetected in most organisations' networks
cyber attacks

Actively exploited server backdoor remains undetected in most organisations' networks

1 Jul 2022
Former Uber security chief to face fraud charges over hack coverup
data breaches

Former Uber security chief to face fraud charges over hack coverup

29 Jun 2022
Why India wants to become a chipmaking powerhouse
components

Why India wants to become a chipmaking powerhouse

28 Jun 2022