Most gaping security holes are terrible mistakes. But for one major Hong Kong-based online retailer called Strawberrynet, its security shortcomings are a feature.
Like many ecommerce sites, registered users have an option for express checkout. What makes beauty-products website Strawberrynet unique is when it comes to security, the site allows you to sign-in to your private account using only your email address. That’s right, no password required.
That sparked the attention of Troy Hunt, who runs the data breach repository HaveIBeenPwned.com. He calls Strawberrynet’s privacy policy “insanity.”
“I’ve never seen another site that’s consciously built a feature like this and assumed it must have been an accident when I first saw it,” Hunt told Threatpost. “It’s hard to justify or rationalize this in any way; there’s no technical justification for exposing personal data like this publicly.”
The glaring privacy issues tied to Strawberrynet’s site have been chronicled by Hunt for almost a year. Last August, Hunt got wind of the security snafu. He visited the site and tried to guess email addresses for users. Without much effort, an email address pulled up the billing and delivery address for Strawberrynet users. Data beyond the address included home and mobile phone numbers. Hunt was also allowed to make account changes. No credit card information was exposed.
“Now all I did here was enter a very common female name to @gmail.com and wammo! There’s all her data,” Hunt wrote in his latest blog post on the Strawberrynet saga on Wednesday.
After bringing it to the company’s attention, Hunt was told by Strawberrynet, “Using your e-mail address as your password is sufficient security.”
Hunt’s public pressure on the company forced a change. You can still log onto Stawberrynet.com using just your email address. However, the personal identifiable data is now obfuscated. At least that’s the way it looked at first glance.
“I took a brief look at their HTML source in an attempt to better understand their thinking,” he wrote. What Hunt found was inside the HTML were the clear text values of the obfuscated fields.
It gets worse.
Hunt found another workaround where if you select “change the billing address” the next screen showed all the personal information of the customer, not obfuscated.
From the harvesting of personal identifiable information that could be used in a phishing attack to changing the shipping address of purchased items, the privacy and security implications here are considerable. That doesn’t even take into consideration General Data Protection Regulation rules set to be enforced by European Data Protection Authorities next year.
“I’ve spoken to numerous Strawberrynet customers – including one in the user group I presented to a couple of hundred people in London – and they’re always shocked followed by furious. Many of them have told me they’ve consequently demanded their account is closed,” Hunt told Threatpost. He estimates millions of Strawberrynet customers could be impacted by the lax security policy.
When Threatpost reached out to Strawberrynet we were told that in 2015 they made passwords compulsory for a short period of time and then changed their mind. “It was clear to us that our largest customer base enjoys checking out conveniently and they found the compulsory login a hindrance to their shopping experience,” wrote Terry Chu, marketing director for Strawberrynet in an email interview.
Chu said Strawberrynet.com decided to not make password-protected logins mandatory to quell a “backlash” from Australia and New Zealand customers who considered using passwords a hindrance.
“Currently, our customer base is divided into two types of shopper: those who prefer convenience, and those who prefer security. Due to this fact, we now give customers a choice of two modes of checkout. Those who don’t wish to register a password may still use ‘Express Checkout.’ For those who want to secure their data, we offer a 100 percent secure ‘Sign In to Checkout’ option, which will display your details only after you have entered your password,” Chu said.
He said Strawberrynet is recommending users opt for using a password to secure their data. “Moving forward, we will close this loophole in order to avoid data exposure for our Express Checkout customers. As a forward-thinking company, Strawberrynet takes user feedback seriously and will continue to improve the site and further enhance the checkout flow for a more seamless and user-friendly experience,” Chu said.
