Introduction
This website is one of New Zealand’s largest online tech retailers. They have been in business since the ’90s and have made a name for themselves as the place to go if you want to buy pretty much any electronic device. They also have a seemingly aging PHP backend for their website; this is good news for would-be hackers.
In my opinion, the most interesting features of this website are the ones that require you to be logged in. As an example, when you are logged in, you can look over transactions that are associated with your account.
My invoice as viewed from my own account.
However, what happens if you change the transaction ID in the URL to be something else? This is something I attempt often on websites since it seems to be handled incorrectly fairly often. In the above picture, what happens when we add 1 to the ID, changing the “202” to “203”? Well, see for yourself…
Someone else's invoice. This could be from a walk-in cash sale.
Yep, that’s someone else’s order alright. Replete with all the details you could possibly want. I suspect that the “ordered by” field in this case relates to the specific till that was used for the cash sale. Further down the page we can also see the line-by-line breakdown of the items purchased.
If Only It Were That Easy
After discovering this first one my next instinct was to try and find other transactions to see if this was just a one-off. Many IDs I tried to enter into the URL I was not allowed to view.
Because of this I’m not entirely sure what the rule is that determines whether or not anyone with any account can view the order? Perhaps it’s to do with whether or not it was an in-store cash sale versus an online order. Perhaps that order doesn’t actually exist. I’m really not sure.
A random invoice number that doesn't work.
Interacting with the Order
At the bottom of the page is a form where you can contact the support team of this website about your order, as well as a history of messages that have been sent.
I decided to send a message from one account onto the invoice of another account. The request appears to have been accepted by the server but no message appeared in the message history.
Getting Personal(ly Identifiable Information)
Okay, so being able to read arbitrary invoices isn’t particularly damning (although it is absolutely concerning that this information is available). I also wanted to check to see if someone could view my personal information using this trick. I found an order of mine that had an old delivery address on it and attempted to view it while signed in to a different account.
My invoice. As viewed from another account. This is bad.
I wasn’t thrilled to learn that my name, address, and purchase history are just on display for anyone in the world to view. This is probably not what people who use this website expect when they make purchases. I know I certainly didn’t expect this!
Disclosure
I reached out to this website’s support email address to report the issue on the evening of March 21st 2024. Six days later my support ticket was followed up on and I was able to provide their team with the details of this issue and two others (coming soon to this blog). Within three hours of me providing them with the details this issue was fixed and I was no longer able to view my own order information from other accounts.
I was pleasantly surprised by how quick and effective the team at this website were in fixing this issue. Great job!
Cover photo by Towfiqu barbhuiya on Unsplash