Gumtree.com, a British classifieds site, experienced a data breach after a security researcher demonstrated that he could obtain sensitive personally identifiable data of advertisers by hitting F12 on the keyboard. The developer tools console opens when you press the F12 key in a web browser, allowing you to inspect a website’s source code, monitor network requests, and read error messages created by the website.
When using a website, making important data not publicly available is considered a significant security precaution even if you see its source code. However, security researcher Alan Monie of Pen Test Partners revealed that by analyzing the HTML source code of the ads displayed on Gumtree’s website, he could access the PII of sellers.
“The site was super leaky. Every advert on the site included the seller’s postcode or GPS coordinates – even if the seller requested the map of their location to be hidden. It leaked the sellers email address, and their full name was available via a simple IDOR vulnerability,” according to a report by Monie.
Gumtree is among the top 30 websites in the United Kingdom, with millions of monthly unique visitors. As a result, many advertisers on the site may have been affected by this leak. Monie discovered that the HTML source for registered advertisers was leaking the following information:
- full name
- email address
- account type
- account registration date
- postcode or GPS coordinates
The implications of having such data exposed are severe since the disclosed users might be targeted by phishing or social engineering attacks that aim to capture more sensitive information using this information. The site also has an API only accessible by the Gumtree iOS app. Unfortunately, one of that API’s endpoints was exposed to an IDOR (Insecure Direct Object References) attack, resulting in another data breach exposing complete names and other account information.
Monie reported the problem to Gumtree on November 11, 2021, and the problem was partially resolved on November 16, 2021. On December 6, 2021, the site resolved all issues after receiving many messages from the researcher. As a result, Gumtree sellers’ personal information was exposed for over a month, if not longer.
Despite the possibility that the researcher was the only one who identified this basic data leak problem, Gumtree users are encouraged to be careful and approach any incoming contacts with caution.