IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Gumtree site code made personal data of users and sellers publicly accessible

Anyone could scan the website's HTML code to reveal personal information belonging to users of the popular second-hand classified adverts website

Security researchers have discovered that data belonging to customers of online marketplace Gumtree may have been leaked through the site's HTML code.

User data such as GPS location, full names, email addresses, and postcodes of users and sellers, could all be accessed through the site's publicly accessible site code, according to researchers from Pen Test Partners.

Simply opening up the HTML code of the website using a tool like Google Chrome's 'inspect element' was all that was required to view the information in question.

Pen Test Partners said the site "was super leaky" and that every listing on Gumtree would include the seller's postcode or GPS coordinates, even if the seller requested their location to be hidden.

Gumtree's website operates on a first name basis - users and sellers only ever see each other's first names and use a private messaging service built into the site for communication, avoiding emails.

Related Resource

Protecting every edge to make hackers’ jobs harder, not yours

How to support and secure hybrid architectures

White square with whitepaper title on top of a background image of a building and pavementFree download

But email addresses were visible in the HTML code and user surnames could also be viewed by exploiting an insecure direct object references (IDOR) vulnerability. The vulnerability was found in an API used exclusively for iOS users, Pen Test Partners said, and one of its endpoints was vulnerable to a simple unauthenticated IDOR attack.

IDOR attacks can be carried out in a number of ways, but commonly attackers can cross-reference account IDs with a website's backend database and pull personal information using it. They can then modify the ID to pull data from other user accounts too.

Before publicly disclosing the leak this week, Pen Test Partners attempted to alert Gumtree via its third-party bug bounty programme. Run by Netherlands-based Zerocopter, the bug bounty programme required researchers to sign a non-disclosure agreement (NDA) as part of the submission, something the researchers were reluctant to do. Instead, they decided to alert Gumtree directly through its customer service team.

Gumtree has since fixed the issues causing the information leak and said it self-reported to the Information Commissioner's Office (ICO).

"People have the right to expect that organisations will handle their personal information securely and responsibly," said an ICO spokesperson to IT Pro. "If an individual has concerns about how their data has been handled, they should raise it with the organisation first, then report them to us if they are not satisfied with the response.

"Gumtree made us aware of an incident. After carefully reviewing the information, we decided no formal action was required and we provided data protection advice to the organisation."

Gumtree told IT Pro it remediated the issues raised by Pen Test Partners "within hours" of being made aware of them and all issues with the website, both with the iOS API and other backend code are fully resolved.

"In response to these issues, we reported the incident to the Information Commissioner’s Office (ICO) outlining our actions already taken, and planned, to monitor the issue," it said.

"These included fixing the vulnerabilities, updating our safety messaging on site and mitigating against future issues. We did not notify our users and are confident that our response to the reported issues was timely, appropriate and proportionate. We have communicated proactively with the regulator as these issues came to light and as we were taking remedial actions. We will take any appropriate further action should that be required."

Featured Resources

The state of Salesforce: Future of business

Three articles that look forward into the changing state of Salesforce and the future of business

Free Download

The mighty struggle to migrate SAP to the cloud may be over

A simplified and unified approach to delivering Enterprise Transformation in the cloud

Free Download

The business value of the transformative mainframe

Modernising on the mainframe

Free Download

The Total Economic Impact™ Of IBM FlashSystem

Cost savings and business benefits enabled by FlashSystem

Free Download

Recommended

Ten ways to protect your company from the next big data breach
data breaches

Ten ways to protect your company from the next big data breach

18 Feb 2022
Pizza chain exposed 100,000 employees' Social Security numbers
data breaches

Pizza chain exposed 100,000 employees' Social Security numbers

19 Nov 2021
83% of critical infrastructure companies have experienced breaches in the last three years
cyber security

83% of critical infrastructure companies have experienced breaches in the last three years

11 Nov 2021
Identity Automation launches credential breach monitoring service
phishing

Identity Automation launches credential breach monitoring service

5 Oct 2021

Most Popular

Cyber attack on software supplier causes "major outage" across the NHS
cyber attacks

Cyber attack on software supplier causes "major outage" across the NHS

8 Aug 2022
Why convenience is the biggest threat to your security
Sponsored

Why convenience is the biggest threat to your security

8 Aug 2022
How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

29 Jul 2022