back to article Beauty site lets anyone read customers' personal information

Popular online cosmetics site Strawberrynet has asked customers if a function that allows anyone to retrieve its customers names, billing addresses, and phone numbers with nothing more than an email address is a bug or a feature. The bug was first disclosed almost exactly a decade ago and resurfaced after security man Troy …

  1. Anonymous Coward
    FAIL

    Email address only ?

    No password ? And they're not planning on doing ANYTHING about it ? ------------>

  2. Anonymous Coward
    Anonymous Coward

    Awesome....

    ...I know that girls email address. Now I can find her physical address and wait for her.

    No joke icon, as is the sort of nasty thing that could happen.

  3. Tony S
    Pirate

    This happens far too often

    I've said it before; I'll say it again.

    Nothing will change until the people at the top making / allowing this sort of idiotic decisions to occur are held personally responsible.

    I'm not taking about a slap on the wrist; the directors need to be facing serious financial penalties that really will make them squeal.

    Voltaire said it best:

    "Dans ce pays-ci, il est bon de tuer de temps en temps un amiral pour encourager les autres

    "In this country, it is wise to kill an admiral from time to time to encourage the others."

    1. CrazyOldCatMan Silver badge

      Re: This happens far too often

      > "In this country, it is wise to kill an admiral from time to time to encourage the others."

      There's a reason why the Napoleonic French fleet regularly got shot to pieces by the British Navy..

      (Mind you, our Navy doesn't have a sparking record in that regard either - but at least we didn't shoot commanders on a whim)

      1. tony2heads
        Pirate

        Re: This happens far too often

        Shoot them -no ! Surely you mean hang from the highest yardarm in the British Fleet

        But I believe Admiral Byng was actually shot

      2. Random Handle

        Re: This happens far too often

        >> "In this country, it is wise to kill an admiral from time to time to encourage the others."

        >There's a reason why the Napoleonic French fleet regularly got shot to pieces by the British Navy.....but at least we didn't shoot commanders on a whim

        'this country' was England and we absolutely did shoot them on the whim of the pathetic George II - Voltaire was referring to the execution of Admiral Byng who made the reasonable decision not to sacrifice his fleet to a (numerically) superior French force as he knew reinforcement was pending.

    2. Mark 85

      @Tony S -- Re: This happens far too often

      Well... since change like you suggest won't ever happen as long as those at the top watch the bottom line, the next best thing would be for customers to vote with their pocketbooks/wallets. If the customers start going somewhere else and let the company management know why they are leaving, things might change.

      Or the company will file lawsuits at someone..... which seems to be the case lately.

  4. Anonymous Coward
    Anonymous Coward

    Reminds me of Hammersmith...

    Reported by El Reg some time ago: you could log onto the Hammersmith / Wimbledon website using only an e-mail address. And to add insult to injury the (valid!) e-mail address of the administrator could be found right on the about page of said website (for more details see link to El Reg article).

    Makes you wonder where in the heck those websites get their infrastructure from. Maybe a local "web guru" or -gasp- could they have hired the services of a "skilled" web design agency?

  5. Black Rat
    Devil

    I wonder if Jenny Drop Tables shops there?

    1. Scott 53

      Jenny Drop Tables

      Is that little Bobby's sister?

  6. MrT

    What they need to do...

    ... is follow the accepted beauty industry practice, invent a trademarkable pseudonym for this dropped bollock, then hire some D-list slebs to slowly explain why it's a good thing to each other, (if it includes at least one who happens to have released an exercise video, all the better). Smiles all round, bouncy hair and whitened teeth. Problem solved!

  7. Alister

    I don't see how this can possibly be PCI-DSS compliant.

    I know that every year we have a fight with the Pen-Testers because they say our password reset facility on a certain site allows enumeration of valid email addresses. (It doesn't, if you put in a non-existing email address you don't get an email - no message to say whether it was valid or not.)

    Maybe they should get a different QA.

    1. wyatt

      Does it need to be PCI DSS compliant if there is no payment information processed? Just a data protection fail at the moment surely?

      1. Alister

        In TFA it says:

        The company cited its use of SSL and compliance with the payment card industry data security standard, both of which would do nothing to stop a brute force attack.

        So they are claiming to be compliant, whether they need to be or not.

        1. wyatt

          Agreed, however; I'd say this is a play on words with them trying to deflect. I know plenty of companies which have a PCI-DSS compliant (or attempting..) payment system, but this doesn't include the rest of their infrastructure.

          Their customer databases are probably outside of the scope therefore not able to be non-compliant if not assessed

    2. Doctor Syntax Silver badge

      Maybe they should get a different QA

      FTFY

    3. Oh Bother

      Enumeration

      @Alister

      What does that site do/display when you enter in a valid email address?

  8. Michael H.F. Wilkinson Silver badge
    Facepalm

    Mind-bogglingly stupid

    Not only do they have this "feature", they then tweet about it so everyone knows they have this security leak you could drive a herd of overweight mastodons through. If their users really prefer this feature over security, they apparently have room-temperature IQ (centigrade scale, that is)

    1. Anonymous Coward
      Anonymous Coward

      Re: Mind-bogglingly stupid

      Seems they tried to apply Amazons "gift to friend via email address" and whoosh, the point went over their heads like Chicxulub! (Google is your friend ;) )

    2. CrazyOldCatMan Silver badge

      Re: Mind-bogglingly stupid

      > drive a herd of overweight mastodons through.

      That's not a nice thing to say about their customers!

  9. Stoneshop
    Devil

    And they will only receive pro-convenience answers

    Half of them by genuine customers who can't be bothered thinking about the security implications (if they can grasp the problem in the first place), the other half by impersonated customers.

  10. Malcolm Hall

    If you showed this security "researcher" a phone book his head would probably explode. Ridiculous.

    1. Robert Carnegie Silver badge

      Who, nowadays, is in the phone book?

      With their credit card number listed as well?

      Also there are sanctions - limited but real - against misuse of the phone system.

      1. Titus Aduxass

        Where's their credit card number displayed?

  11. Crisp

    Why are we drawing up UML diagrams for malicious actors?

    Nobody should be acting maliciously anyway!

  12. adam payne

    Reads article and almost falls off chair.

    How on earth can people design a system with such a flaw and try to pass it off as a feature?

    It's crazy and incredibly reckless to have a site display details like that.

    What's the betting in a couple of weeks customers of the site will be reporting getting spammed with emails and dodgy phone calls? or even worse.

    1. Dan 55 Silver badge

      Or somebody could change the delivery address for free gifts, the customer might not notice.

  13. Darryl

    They're just catering to the people who think having to change a password once every five years is a real pain in the ass. I'm sure their clientele would prefer if it just presented them with a list of names for them to click, which would then fill in all of those annoying fields like 'Credit card number' and such.

  14. Anonymous Coward
    Anonymous Coward

    Trying...

    AAA@gmail.com

    AAB@gmail.com

    AAC@gmail.com....

    ....

    Rinse. Repeat. Harvest.

    1. Anonymous Coward
      Anonymous Coward

      Re: Trying...

      I would start with AOL.com

      Then Yahoo.

  15. Anonymous Coward
    Anonymous Coward

    Never OK

    Dimwit shaming is NEVER OK.

    Ahh, maybe it is - not like they'd ever figure it out.

  16. Anonymous Coward
    Anonymous Coward

    So no passwords, what does it matter? If there was a password the database would just be hacked and leaked in bulk at some point anyway. Either way the information is out there. This at least doesn't pretend to be secure and then apologize later when they're hacked.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like