Gumtree’s classifieds site disclosed personal information via F12 key

UK classifieds site suffered a data breach after a security researcher revealed that it could access sensitive, personally identifiable advertisers data simply by pressing F12 on the keyboard.

When you press the F12 key in a web browser, the application opens the Developer Tools Console, which allows you to view the source code of a website, monitor network requests, and view development messages. error produced by the website.

It is considered a primary security measure to make sensitive data not publicly visible while using a website, even if you are viewing its source code.

However, Pen Test Partners security researcher Alan Monie discovered that he could see sellers’ personal information simply by viewing the HTML source code of the advertisement displayed on Gumtree’s website.

The site was leaking great. Every ad on the site included the seller’s zip code or GPS coordinates – even if the seller requested that the map of their location be hidden. The seller’s email address was leaked and their full name was available through a simple IDOR vulnerability, ”explained a report from Monie.

Gumtree is one of the top 30 websites in UK, receiving several million unique visitors every month. As such, this leak may have impacted a large number of advertisers on the site.

Monie discovered that the HTML source disclosed the following information to registered advertisers:

  • Full Name
  • username
  • account registration date
  • Type of account
  • e-mail address
  • postal code or GPS coordinates

The consequences of exposing such data are significant, as disclosed users could be the target of phishing or social engineering attacks that use this information in an attempt to collect more sensitive information.

The site also offers an API exclusively used by the Gumtree app on iOS. Unfortunately, one of the endpoints for this API was vulnerable to an Insecure Direct Object References (IDOR) attack, leading to another leak of full names and other account information.

Access sensitive data on the HTML view
Access sensitive data on the HTML view
Source: pen testing partners

After discovering this issue on November 11, 2021, Monie notified Gumtree of the issue, which partially resolved the issue on November 16, 2021. After several subsequent posts from the researcher, the platform resolved all issues on December 06, 2021.

As such, sellers on Gumtree have had their personal information exposed for almost a month or more.

Bleeping Computer has reached out to Gumtree for comment on actions taken regarding the incident, and we received the following response from a spokesperson.

“We were notified by a user of a security issue affecting the source code of our website in November 2021. This issue was resolved within hours of being brought to our attention. After learning about the above, we were subsequently made aware of a new issue with our API for iOS devices. This has also been resolved.

“In response to these issues, we reported the incident to the Information Commissioner’s Office (ICO) outlining our actions already taken and planned to monitor the issue. These included remedying vulnerabilities, updating our on-site security messages, and mitigating future issues. “

“We have not informed our users and are confident that our response to the reported issues has been timely, appropriate and proportionate. We proactively communicated with the regulator when these issues emerged and took corrective action. We will take any other appropriate action if necessary. “

While it is possible that the researcher was the only person who discovered this basic data breach, we advise Gumtree users to remain vigilant and treat all incoming communications with caution.

Comments are closed.