London Classified Ads Site Gumtree Experiences Data Breach Due to F12 Key
The Leaked Data Contained Email Addresses, Postcodes, GPS Location, and Other Sensitive Info.
Gumtree.com, also known as Gumtree, is a classified ad and community website based in the UK. Starting November 2010, it was the UK’s largest website for local community classifieds and one of the top 30 websites in the UK, with 14.8 million monthly unique visitors, according to a traffic audit in 2010.
The site for free classifieds ads Gumtree.com experienced a data leak after a security expert disclosed that by just pressing F12 on the keyboard, he was able to access confidential personally identifiable information (PII) of advertisers.
When the F12 key is pressed in a web browser, the developer tools console opens, allowing you to view a website’s source code, track network requests, and view error messages generated by the website.
Making critical data inaccessible to the public when accessing a website, even if the source code can be seen, is considered the most important security measure.
Nevertheless, security analyst Alan Monie from Pen Test Partners noticed that by reading the HTML source code of the ads displayed on Gumtree’s website, he could see the PII of advertisers.
The site was super leaky. Every advert on the site included the seller’s postcode or GPS coordinates – even if the seller requested the map of their location to be hidden. It leaked the sellers’ email address, and their full name was available via a simple IDOR vulnerability.
What Data Was Exposed?
According to a report by Monie, the HTML source was leaking information for registered sellers including username, full name, email address, postcode, GPS coordinates, account registration date, and account type.
The ramifications of having this type of information revealed are serious, as the compromised individuals could become victims of phishing or social engineering attempts that aim to steal even more private information.
The site also has an API that is only used by the Gumtree iOS app. Alas, one of that API’s endpoints was exposed to an IDOR (insecure direct object references) attack, leading to yet another data breach exposing full names and other account information.
One Month of Exposure for Sellers on Gumtree
Monie discovered the problem on November 11, 2021, and immediately reported it to Gumtree. On November 16, 2021, the platform partially addressed the incident, and after many additional messages from the researcher, they fixed all the issues on December 06, 2021.
This means that Gumtree advertisers’ personal information was exposed for at least a month.
A Gumtree spokesperson declared for BleepingComputer:
We were made aware by a user of a security issue affecting our website source code in November 2021. This was resolved within hours of it being brought to our attention. After becoming aware of the above, we were subsequently notified of a further issue with our API for iOS devices. This has also been resolved.
In response to these issues, we reported the incident to the Information Commissioner’s Office (ICO) outlining our actions already taken, and planned, to monitor the issue. These included fixing the vulnerabilities, updating our safety messaging on site and mitigating against future issues.
We did not notify our users and are confident that our response to the reported issues was timely, appropriate, and proportionate. We have communicated proactively with the regulator as these issues came to light and as we were taking remedial actions. We will take any appropriate further action should that be required.
How Can Heimdal™ Help?
Data breaches are at the top of every day’s agenda, being a threat that can no longer be overlooked. Preventing data breaches can be done only with the best security tools in place: an automated Patch & Management Tool that will keep your software updated so hackers cannot exploit vulnerabilities, a Privileged & Access Management Tool to control and monitor in a centralized location privileged user rights and also deescalate them automatically if a threat is detected when paired with Next-Gen Antivirus & MDM. A Ransomware Encryption Protection Tool will also keep data exfiltration and data loss away and an E-mail Security Suite will stop phishing emails from becoming a lure for your employees to provide sensitive data. What’s more, is that Heimdal™ promotes the concept of unified cybersecurity, so you can manage all these solutions from a centralized dashboard.