"The vulnerability, discovered by a security researcher, did not require advanced hacking techniques, only knowledge of how the URLs were structured."
"Bango, in his statement to TechCrunch, said: 'When I tried to look up if the order number was a legitimately formatted Express order number using Google, I saw a link to another order, and someone else's order information came up!'"
"Normally, information like this is meant to be behind a properly authenticated page, locked away from even other Express users."
"The exposure included customer information such as names, phone numbers, email addresses, and postal billing and delivery addresses."
Express recently fixed a vulnerability that exposed customer data via order confirmation pages. The flaw arose from sequential order IDs in URLs, enabling unauthorized access to personal details. Discovered by security researcher Rey Bango during a fraudulent transaction investigation, the issue allowed anyone to view sensitive information by simply altering the web address. This practice of sequentially assigning order numbers poses significant risks, as it bypasses necessary authentication and can be exploited at scale.
Read at TechRepublic
Unable to calculate read time
Collection
[
|
...
]