Cole discovered that by simply incrementing a numerical string by one in a url Best Buy sent out, he could pull up screen after screen of random customer info. Fortunately, all he could see were customer names, their home addresses, and their order numbers. It’s still surprising that Best Buy—or more specifically, Postpublisher.net, the email company they outsourced this to—wasn’t more careful with customer security.
Here’s Cole’s email. We’re going to pull out the actual URLs so we don’t encourage more snooping, but we tried Cole’s method and were able to pull up customer infor screens on our own:
My friend pre-ordered GTA4 from BestBuy.com and since he doesn’t have a printer he forwarded me the confirmation email of his purchase so I could print it out. The confirmation email contained a link to print out the page if you were having trouble viewing the email from within your email client. I was (since the message was forwarded to me the styles and images were all messed up), so I clicked the link which took me to [redacted]. I was curious how random the &e parameter was so I decided to play around with it and discovered it isn’t really random at all and by incrementing a certain part of it I was able to find home addresses of other users of BestBuy.com who had packages shipped to them.
This seems like a pretty serious privacy issue as I am now able to find full names and addresses of people that have bought something from BestBuy.com and had it shipped to them.