This Retail Website Considers Password Security Optional

The glaring privacy issues tied to an online health and beauty retailer allows customers to log-in to their user accounts with just their email address – no password needed.

Most gaping security holes are terrible mistakes. But for one major Hong Kong-based online retailer called Strawberrynet, its security shortcomings are a feature.

Like many ecommerce sites, registered users have an option for express checkout. What makes beauty-products website Strawberrynet unique is when it comes to security, the site allows you to sign-in to your private account using only your email address. That’s right, no password required.

That sparked the attention of Troy Hunt, who runs the data breach repository HaveIBeenPwned.com. He calls Strawberrynet’s privacy policy “insanity.”

“I’ve never seen another site that’s consciously built a feature like this and assumed it must have been an accident when I first saw it,” Hunt told Threatpost. “It’s hard to justify or rationalize this in any way; there’s no technical justification for exposing personal data like this publicly.”

The glaring privacy issues tied to Strawberrynet’s site have been chronicled by Hunt for almost a year. Last August, Hunt got wind of the security snafu. He visited the site and tried to guess email addresses for users. Without much effort, an email address pulled up the billing and delivery address for Strawberrynet users. Data beyond the address included home and mobile phone numbers. Hunt was also allowed to make account changes. No credit card information was exposed.

“Now all I did here was enter a very common female name to @gmail.com and wammo! There’s all her data,” Hunt wrote in his latest blog post on the Strawberrynet saga on Wednesday.

After bringing it to the company’s attention, Hunt was told by Strawberrynet, “Using your e-mail address as your password is sufficient security.”

Hunt’s public pressure on the company forced a change. You can still log onto Stawberrynet.com using just your email address. However, the personal identifiable data is now obfuscated. At least that’s the way it looked at first glance.

“I took a brief look at their HTML source in an attempt to better understand their thinking,” he wrote. What Hunt found was inside the HTML were the clear text values of the obfuscated fields.

It gets worse.

Hunt found another workaround where if you select “change the billing address” the next screen showed all the personal information of the customer, not obfuscated.

From the harvesting of personal identifiable information that could be used in a phishing attack to changing the shipping address of purchased items, the privacy and security implications here are considerable. That doesn’t even take into consideration General Data Protection Regulation rules set to be enforced by European Data Protection Authorities next year.

“I’ve spoken to numerous Strawberrynet customers – including one in the user group I presented to a couple of hundred people in London – and they’re always shocked followed by furious. Many of them have told me they’ve consequently demanded their account is closed,” Hunt told Threatpost. He estimates millions of Strawberrynet customers could be impacted by the lax security policy.

When Threatpost reached out to Strawberrynet we were told that in 2015 they made passwords compulsory for a short period of time and then changed their mind. “It was clear to us that our largest customer base enjoys checking out conveniently and they found the compulsory login a hindrance to their shopping experience,” wrote Terry Chu, marketing director for Strawberrynet in an email interview.

Chu said Strawberrynet.com decided to not make password-protected logins mandatory to quell a “backlash” from Australia and New Zealand customers who considered using passwords a hindrance.

“Currently, our customer base is divided into two types of shopper: those who prefer convenience, and those who prefer security. Due to this fact, we now give customers a choice of two modes of checkout. Those who don’t wish to register a password may still use ‘Express Checkout.’ For those who want to secure their data, we offer a 100 percent secure ‘Sign In to Checkout’ option, which will display your details only after you have entered your password,” Chu said.

He said Strawberrynet is recommending users opt for using a password to secure their data. “Moving forward, we will close this loophole in order to avoid data exposure for our Express Checkout customers. As a forward-thinking company, Strawberrynet takes user feedback seriously and will continue to improve the site and further enhance the checkout flow for a more seamless and user-friendly experience,” Chu said.

Suggested articles

Discussion

  • Mark on

    Always good to see stuff like this exposed. Insane that any company would think passwords should be optional. Just a side note, you misspelled Strawberrynet's URL about halfway down the article. You have it listed as Stawberrynet.com which leads to a bunch of ad trackers and then eventually Macys.com. :) Just pointing out so that can be fixed.
  • Jason M. on

    Couldn't there be a middle ground? Ask customers to check their e-mail for a message sent by Strawberrynet which contains a link the customer has to click on. The link would include as a URL parameter a strong, CSPRNG-generated token. And upon the browser reaching the link's landing page, a cookie would be set in the customer's browser, enabling them to check out seamlessly without even having to authenticate using an e-mail address, provided that the token was detected at the point of checkout. This would make it even more seamless to the customer by removing the need for the customer to type in their e-mail address. The primary weakness of the token-based approach would be that tokens would need to have an expiration date.
  • The Misanthrope on

    "As a forward-thinking company..." They had better think a little faster-forward. This is so insane it is hard to believe that it isn't intentional, with some deeper, clandestine reason behind this "feature." /remove tinfoilhat

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.