All a user required was to open Gumtree’s website and press the F12 button on Chrome or Firefox browsers to view users’ personal data.
A UK-based classified site and used goods marketplace, Gumtree, exposed the home addresses of its users in its webpages source code. Gumtree is among the top 30 sites in Britain, and millions of new users visit the site every month.
This indicates the leak could have possibly impacted a significant number of advertisers on this website. Reportedly, around 1.7 million monthly sellers’ data could be exposed in the leak.
What is the Issue?
British firm Pen Test Partners discovered the data leak. The issue was that anyone could have accessed the PII (personally identifiable information) of Gumtree users and sellers just by pressing F12 on the keyboard while using Google Chrome and Firefox browser.
In a normal scenario, when f12 was is pressed in any of the aforementioned browsers, it opens the developer tools console allowing the user to view the source code of the website, examine network requests, and monitor error messages of the website.
However, in Gumtree’s case, anyone could have viewed the site’s users’ name and location (including GPS coordinates and postcode) upon pressing the F12 key.
Which Data was Leaked?
Pen Test Partners Alan Monie identified that he could view the PII of sellers by simply viewing the advertising source code of the site.
“The site was super leaky. Every advert on the site included the seller’s postcode or GPS coordinates – even if the seller requested the map of their location to be hidden. It leaked the sellers’ email address, and their full name was available via a simple IDOR vulnerability,” Monie wrote in the report.
Moreover, researchers noted that the Gumtree website also features an API explicitly designed to be used by the iOS app of the site. One of the API endpoints was found to be vulnerable to Insecure Direct Object References (IDOR) attack, causing more information to be leaked.
Therefore, the full leaked data included the following:
- Full name
- Account type
- Email ID
- Account registration date
- GPS coordinates or Postcodes
Gumtree Fixed the Issue
When Gumtree was notified by Pen Test Partners on 11 November 2021, the company partially fixed the issue by 16 November, and eventually, all the problems were addressed by Gumtree on 6 December 2021.
However, Monie noted that such leaks could be detrimental for the affected users as they get exposed to all sorts of online attacks/scams. Such as phishing attacks and social engineering attacks. Attackers could try to harvest more sensitive data from the users.
Here’s an excerpt from the official statement released by Gumtree after fixing the issue:
“We were made aware by a user of a security issue affecting our website source code in November 2021. This was resolved within hours of it being brought to our attention. After becoming aware of the above, we were subsequently notified of a further issue with our API for iOS devices. This has also been resolved.”
The company noted that it had informed the Information Commissioner’s Office. But, it didn’t explain whether the impacted users have been informed about the leak or not.