Darren Pauli reports:
Popular online cosmetics site Strawberrynet has asked customers if a function that allows anyone to retrieve its customers names, billing addresses, and phone numbers with nothing more than an email address is a bug or a feature.
The bug was first disclosed almost exactly a decade ago and resurfaced after security man Troy Hunt reported the flaw to the company last Thursday.
The feature means customers are able to checkout quickly by just putting their email address into a text entry box. Doing so returns personal information in cleartext, if the email address entered is already in Strawberrynet’s records.
Read more on The Register.
The firm seems to be a Hong Kong-registered business. Hong Kong has data protection standards. Worse, I don’t see how what they’re doing is consistent with their privacy & security assurances that personal data is kept confidential.
Maybe some consumer should file a complaint with the data protection watchdog in Hong Kong. They’ve really gotten more proactive in the past few years and they might have something to say about this exposure of consumer information.
Thank you for your communication, we do listen to all views, over the sixteen years we have been operating it is only occasionally anyone has taken this position, most accept the convenience of quick access.
We do however understand your view, and as we have an account management system that is protected by password, we will make it clearer on our site upon registration that this option is available.
Thank you again for your communication.
Thank you for responding. As a suggestion: make the password-protected state the default setting, and allow users who want to waive it to waive it. But make sure they understand the risks of waiving it.