A UK-based classified site and used goods marketplace, Gumtree, leaked personally identifiable information (PII) of its users' in the source code of its webpages.
Alan Monie, a security researcher from British company Pen Test Partners (PTP) discovered the data leak, which meant anyone could access Gumtree user's name email address, account registration date, account type, and location (either postcode or GPS coordinates) by just pressing F12 in their web browser.
In a normal circumstance, when F12 is pressed in Firefox and Chrome browsers, it opens the "view page source" developer tools screen which allows the user to view the source code of the website, analyze network requests, and monitor error messages of the website. It is considered a primary security measure to make sensitive data inaccessible when using a website, even if you view its source code.
"The site was super leaky. Every advert on the site included the seller's postcode or GPS coordinates – even if the seller requested the map of their location to be hidden. It leaked the sellers' email address, and their full name was available via a simple IDOR vulnerability," explained a report by Monie.
Gumtree is one of the top 30 websites in the UK, with 14.8 million monthly unique visitors, according to a traffic audit in 2010. As such, this leak may have impacted a large number of advertisers on the site.
The consequences of having this type of information exposed are serious, as the compromised users could become victims of phishing or social engineering assaults that use this information to try and harvest more private details.
Additionally, the firm uncovered an insecure direct object reference vulnerability (IDOR) affecting one of Gumtree's APIs, used to power its iOS app. The IDOR allowed users' full names to be read off at will and didn't require any verification.
Upon discovering the security loophole on November 11, 2021, Monie reported Gumtree of the issue, which partially addressed the incident on November 16, 2021. After multiple additional messages by the researcher, the platform fixed all the issues on December 06, 2021.
"We were made aware by a user of a security issue affecting our website source code in November 2021. This was resolved within hours of it being brought to our attention. After becoming aware of the above, we were subsequently notified of a further issue with our API for iOS devices. This has also been resolved,” Gumtree explained.