A British, classifieds site Gumtree.com suffered a data leak after a security researcher found out that he could access sensitive and identifiable data of advertisers with one click. According to tech outlet Bleeping Computer, he was explicitly pressing F12 on the keyboard.
It’s hard to wrap one’s head around how this could happen and how easily this could occur. Still, when pressing the F12 key in a web browser, you inevitably end up to the website’s source code, which harbors monitoring requests and error messages produced by the website.
What Experts Say About The Data Leak
“The site was super leaky,” according to the researcher who found the vulnerability. “Every advert on the site included the seller’s postcode or GPS coordinates – even if the seller requested the map of their location to be hidden. It leaked the sellers’ email address, and their full name was available via a simple IDOR vulnerability.”
Even if you’re looking at the source code of something, you’re not supposed to be able to see private information, so imagine if you were on Facebook Marketplace and someone could check out your seller’s information through the source code. That’s a problem. And that’s what was happening on this British classifieds website to their sellers.
The Impact of the Site Leak Remains Unknown
Since Gumtree is one of the top 30 websites in the United Kingdom, they receive millions of unique visitors every month. A leak this big could have some significant impacts on the advertisers on the site.
Sellers didn’t just have their full name, username and email address exposed. Hacks impacted their postcode or even their location in GPS coordinates. What happens after this usually means that the leak users could see a lot of phishing attacks or social engineering attacks and the future.
While this problem first started on November 11th, 2021, workers partially fixed it five days later was when they found out about the issue. However, multiple subsequent messages by the researcher title leave push the platform to address all vulnerabilities on December 6th. So those using Gumtree had their information exposed for a month or even longer.
While it’s always possible that nobody noticed this flaw, it’s better to be safe than sorry. In conclusion, continue to remain vigilant. Treat all incoming communications with caution, especially when you’re using marketplaces online.