Gumtree site code made personal data of users and sellers publicly accessible

Anyone could scan the website's HTML code to reveal personal information belonging to users of the popular second-hand classified adverts website

Security researchers have discovered that data belonging to customers of online marketplace Gumtree may have been leaked through the site's HTML code.

User data such as GPS location, full names, email addresses, and postcodes of users and sellers, could all be accessed through the site's publicly accessible site code, according to researchers from Pen Test Partners.

Simply opening up the HTML code of the website using a tool like Google Chrome's 'inspect element' was all that was required to view the information in question.

Pen Test Partners said the site "was super leaky" and that every listing on Gumtree would include the seller's postcode or GPS coordinates, even if the seller requested their location to be hidden.

Gumtree's website operates on a first name basis - users and sellers only ever see each other's first names and use a private messaging service built into the site for communication, avoiding emails.

Related Resource

Protecting every edge to make hackers’ jobs harder, not yours

How to support and secure hybrid architectures

White square with whitepaper title on top of a background image of a building and pavementFree download

But email addresses were visible in the HTML code and user surnames could also be viewed by exploiting an insecure direct object references (IDOR) vulnerability. The vulnerability was found in an API used exclusively for iOS users, Pen Test Partners said, and one of its endpoints was vulnerable to a simple unauthenticated IDOR attack.

IDOR attacks can be carried out in a number of ways, but commonly attackers can cross-reference account IDs with a website's backend database and pull personal information using it. They can then modify the ID to pull data from other user accounts too.

Before publicly disclosing the leak this week, Pen Test Partners attempted to alert Gumtree via its third-party bug bounty programme. Run by Netherlands-based Zerocopter, the bug bounty programme required researchers to sign a non-disclosure agreement (NDA) as part of the submission, something the researchers were reluctant to do. Instead, they decided to alert Gumtree directly through its customer service team.

Gumtree has since fixed the issues causing the information leak and said it self-reported to the Information Commissioner's Office (ICO).

"People have the right to expect that organisations will handle their personal information securely and responsibly," said an ICO spokesperson to IT Pro. "If an individual has concerns about how their data has been handled, they should raise it with the organisation first, then report them to us if they are not satisfied with the response.

"Gumtree made us aware of an incident. After carefully reviewing the information, we decided no formal action was required and we provided data protection advice to the organisation."

Gumtree told IT Pro it remediated the issues raised by Pen Test Partners "within hours" of being made aware of them and all issues with the website, both with the iOS API and other backend code are fully resolved.

"In response to these issues, we reported the incident to the Information Commissioner’s Office (ICO) outlining our actions already taken, and planned, to monitor the issue," it said.

"These included fixing the vulnerabilities, updating our safety messaging on site and mitigating against future issues. We did not notify our users and are confident that our response to the reported issues was timely, appropriate and proportionate. We have communicated proactively with the regulator as these issues came to light and as we were taking remedial actions. We will take any appropriate further action should that be required."

Featured Resources

How virtual desktop infrastructure enables digital transformation

Challenges and benefits of VDI

Free download

The Okta digital trust index

Exploring the human edge of trust

Free download

Optimising workload placement in your hybrid cloud

Deliver increased IT agility with the cloud

Free Download

Modernise endpoint protection and leave your legacy challenges behind

The risk of keeping your legacy endpoint security tools

Download now

Recommended

Pizza chain exposed 100,000 employees' Social Security numbers
data breaches

Pizza chain exposed 100,000 employees' Social Security numbers

19 Nov 2021
83% of critical infrastructure companies have experienced breaches in the last three years
cyber security

83% of critical infrastructure companies have experienced breaches in the last three years

11 Nov 2021
Identity Automation launches credential breach monitoring service
phishing

Identity Automation launches credential breach monitoring service

5 Oct 2021
Neiman Marcus data breach hits 4.6 million customers
data breaches

Neiman Marcus data breach hits 4.6 million customers

4 Oct 2021

Most Popular

How to move Microsoft's Windows 11 from a hard drive to an SSD
Microsoft Windows

How to move Microsoft's Windows 11 from a hard drive to an SSD

4 Jan 2022
How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

6 Jan 2022
Microsoft Exchange servers break thanks to 'Y2K22' bug
email delivery

Microsoft Exchange servers break thanks to 'Y2K22' bug

4 Jan 2022