It's Easy To Access Random Customer Info With Best Buy URLs

Cole discovered that by simply incrementing a numerical string by one in a url Best Buy sent out, he could pull up screen after screen of random customer info. Fortunately, all he could see were customer names, their home addresses, and their order numbers. It’s still surprising that Best Buy—or more specifically, Postpublisher.net, the email company they outsourced this to—wasn’t more careful with customer security.

Here’s Cole’s email. We’re going to pull out the actual URLs so we don’t encourage more snooping, but we tried Cole’s method and were able to pull up customer infor screens on our own:

My friend pre-ordered GTA4 from BestBuy.com and since he doesn’t have a printer he forwarded me the confirmation email of his purchase so I could print it out. The confirmation email contained a link to print out the page if you were having trouble viewing the email from within your email client. I was (since the message was forwarded to me the styles and images were all messed up), so I clicked the link which took me to [redacted]. I was curious how random the &e parameter was so I decided to play around with it and discovered it isn’t really random at all and by incrementing a certain part of it I was able to find home addresses of other users of BestBuy.com who had packages shipped to them.
 
This seems like a pretty serious privacy issue as I am now able to find full names and addresses of people that have bought something from BestBuy.com and had it shipped to them.
 
Cole

Comments

Edit Your Comment

  1. Truvill says:

    Some people only need names and adresses in order to compromise their security and identity.

    Again, looking forward to a follow up.

  2. axiomatic says:

    I’m surprised that you find this surprising after all the (deserved) negative press about Best Buy on the consumerist.

    This is status quo for them.

  3. dwarf74 says:

    Fusker – it’s not just for pr0n anymore!

  4. FreeMarketGravy says:

    Correct me if I’m wrong, but names and addresses can be harvested from a phone book as well, right?

    Don’t get me wrong; this shouldn’t be possible, but in light of things like Sprint giving anyone access to customer’s credit card numbers, changing their shipping preferences and full reign over their accounts, this isn’t really a “pretty serious privacy issue.”

  5. Black Bellamy says:

    I can’t wait to hear the OP has been arrested for ‘hacking’.

  6. Diet-Orange-Soda says:

    Working as a software engineer, I’m surprised how many people pass info like this over the query string and *never* check security on the other side.

    Actually, now that I’ve looked at this. You don’t even need to be signed in to view this info. Rotten.

  7. mgresser says:

    Well that’s cute. Nothing like a respect for customer’s privacy. I suppose when we have Microsoft helping the cops search your computers and the Veterans Administration can’t even protect your identity, we can’t expect a company that so obviously doesn’t care about its customers to do much better.
    [impatientsufferance.com]

  8. Bladefist says:

    @Diet-Orange-Soda: Yea I know. It’s not suprising though. Usually developers want to see their code work first, then go back and do security. But obviously as soon as it works, people want more features and you never get to finish the security stuff.

  9. xl22k says:

    This is actually really bad… really, really bad.

    Of course, seeing this I had to try it, so I dug up an old e-mail from Best Buy and started playing with the numbers and sure enough it worked. So I came across people’s confrimation orders and requests for them to fill out surveys, and then this came up:

    Dear carlos:

    Here is the new password you requested: [removed]

    THAT IS A HUGE SECURITY BREACH!

  10. tptcat says:

    @Bladefist: Are you saying that you’ve developed like this and released an application with poor security because of it?

  11. Dickdogfood says:

    Oh man. Didn’t something exactly like this happen to Tower Records’ online service like five years ago?

  12. chrisjames says:

    @FreeMarketGravy: Not a privacy issue? I could flip through the orders until I find one near my location. I have the address, phone number, and order information. I hang outside the house when the package may arrive, call the number to social engineer the victim (find out when they’ll come home, what their neighbors names are, act like a Best Buy rep, etc), then when the delivery arrives, pick it up if it’s left at the door, or act like a neighbor and say I’ll take it.

    Things like this are what privacy of information is good for.

  13. mike says:

    @FreeMarketGravy: There is a difference between the phone book and the web site.

    For one, you choose to be in the phone book. There is an expectation that it will be used. Many people, including myself, opt out of being listed.

    Second, you’re dealing with a e-merchant, who is supposed only use your information to complete the sale. Maybe “suppose” is too strong a word. Perhaps “should” is better.

    This is almost as bad as the one state that had sex offenders on a database where you enter spoiled SQL commands.

  14. FreeMarketGravy says:

    @chrisjames: You could just hang out outside random homes, too. I’m not saying this isn’t a problem, but it’s no huge breach of security.

  15. chrisjames says:

    @tptcat: I’ll admit I have, and that he’s right. I never passed query string info myself and always registered queries with the account info of the … querier. But, I never got around to the sanitization stuff, or whatever it’s called, precisely for this reason. It was phone book tables accessible only by certified employees on an intranet, but that can be just as bad as this.

    Development gets rushed for reasons beyond your knowledge and control, and you are forced to work on the company’s terms, not your own. To hide such security flaws is unethical, though.

  16. chrisjames says:

    @FreeMarketGravy: But now you know when a delivery is arriving and what is being delivered.

    If you’re just talking about retrieving someone’s information. Phone books only list land lines; I have only a cell phone, for example. Not to mention you could build a database of what people order, then sell it to advertisers and profilers.

  17. FreeMarketGravy says:

    @chrisjames: Sure. Now the customer also has access to that and chances are they’re going to want to be home when it gets delivered. Assuming they can’t be, many neighborhoods’ delivery people know the residents, but even assuming that’s not true, the delivery guy may have a slight problem handing the package over to a guy who is standing on the porch with the front door closed and no signs of life in the house or cars in the driveway.

    As far as building a database, paranoia aside, you don’t think that’s already been done to you probably several times over?

  18. meadandale says:

    That’s what you get when you send your web development offshore.

    Someone should nominate this app for thedailywtf.com

  19. Ryan Duff says:

    @Truvill: Then I’m suing the phone book company!

  20. chrisjames says:

    @FreeMarketGravy: What a backwards presumption. Just because my data has been mined doesn’t mean it’s okay for it to happen, nor that I or anyone else should be okay with it happening again and again.

    And thieves love to exploit the trust that people place in systems, just like the trust you’re placing in delivery people with such assumptions, or that people place in Best Buy’s online ordering system.

  21. FreeMarketGravy says:

    @chrisjames: I never said it did; only that once the genie’s out the bottle, getting it back in is a pipe dream.

    And you’ll notice I used the delivery man as a final line of “defense,” not the first. There’s a reason.

  22. Meshuggina says:

    @FreeMarketGravy: It’s not too hard to abuse this information. You can easily find out the persons phone number, call up claiming to be best buy, and say something along the lines of “We received your order for Super Mario Kart, and believe there might be some fraudulent acitivty on your account. Could you supply us with the username ans password you used to log onto your best buy account?”

  23. chrisjames says:

    @FreeMarketGravy: That’s exactly the backwards presumption I was talking about. I really should practice clarifying things. I jump ahead of myself too often. The delivery man is the final line of defense. Best Buy is the first. Well, the consumer is always the first by default, but once the order is placed, Best Buy is next in line.

  24. YourFuzzyGod says:

    @FreeMarketGravy: Hi, my name is and I’m calling from Best Buy. It looks as though you ordered but we were unable to verify your credit card on our system. First, can I ask if your home address is correct? . Thanks! Perhaps you entered the wrong credit card information, can I get you to verify your credit card number for me? That seems to be correct. Perhaps you entered the incorrect expiration date; is it ? No? That must be the problem, what is the correct date? Okay, great! It looks like everything is in order now, your package should arrive soon!

  25. FreeMarketGravy says:

    @chrisjames: Right. And I never defended Best Buy disseminating customer’s information to anyone. I simply said in light of what other companies have done, this is hardly a “serious security issue.”

    @YourFuzzyGod: If you fall for such an obvious phishing scam as that in this day and age, you deserve what you get.

  26. chrisjames says:

    @FreeMarketGravy: The seriousness of a security issue is not defined by the degree to which any other company practices (or doesn’t practice) data security. It’s the degree to which the security breach affects the parties involved. Comparatively, this is an itch waiting to be scratched, not a hemorrhaging wound, but it’s still a breach and it can still have nasty consequences. That’s enough to make it a serious issue.

  27. @FreeMarketGravy: Exactly. Address and name aren’t important thing to keep secred because you have to try really hard to keep people from seeing them on public record.

  28. Veeber says:

    @FreeMarketGravy: But the information of what was ordered is also present. The video game might not be such a big deal, but making this information avaialble seems worse to me than Facebook’s Beacon problem.

  29. matto says:

    Dear <name>:

    We have important news concerning your recent purchase of <item>. Please log into our web site at to update your payment information.

    Thank you for your money,
    (not) Best Buy

    I don’t understand how anyone could consider this anything but a serious breach of trust.

  30. pecheckler says:

    If this happened with any financial, education, or medical institution it would be a serious violation of the law.

  31. snoop-blog says:

    I have done this before with porn pay sites. change a few numbers in the url, and it’s no longer membership only. woo hoo!

  32. FreeMarketGravy says:

    @Chris Vee: I don’t know what Facebook’s Beacon problem is, but what makes people knowing what you bought the factor that makes this such a huge deal? When I buy something at Target, the cashier and a handful of the people behind me know what I bought.

    @matto: Again, not that this is no big deal and doesn’t deserve to be fixed, but where does the line sit in terms of responsibility of not giving your personal information out via telephone or internet to someone that you cannot verify is who they say they are?

  33. wring says:

    wow. every stalker’s wet dream.

  34. coopjust says:

    Jeez, this is bad. I moved one up from an email and this is what I got:

    “Hi (Female Name),
    We’ve planned a trip to Arizona the week of March 5th; we’d like to get together if you’re free. We’ll be staying at the Marriott (Location) off of (street). I’m not sure what our plans are for the week, however we’d like to get together for dinner one of the nights we’re there.

    Let me know if you’ll be in town that week and if you’re available any night for dinner. We have never been to (State) and if you have some recommendations of places to visit let me know. Also, if you could recommend a few places to golf we’d very much appreciate that too.

    Regards,
    (Female Name)

  35. TheDude06 says:

    All my recent GTA emails from best buy have broken links as of now. did they take it down?

  36. YourFuzzyGod says:

    @FreeMarketGravy: If you ordered something and a person called up and knew what you ordered, as well as when you ordered it, what your phone number and address are and (possibly) the last 4 of your CC, most people would think that the call is legit. I guess you are too smart to fall for that, but the rest of us will worry.

  37. YourFuzzyGod says:

    @FreeMarketGravy: Your logic is flawed. If you don’t think it is important that a company is letting people see what you ordered, when you ordered it, your address, phone number and possibly the last 4 of your CC, then you are much more likely to be scammed than someone who does care.

    Also, if a person called and had all of the above information, it is not unreasonable, by any stretch of the imagination; that 99% of the population would be fooled. If you don’t care that a company willy-nilly gives out your information, then you deserve what you get.

  38. rmz says:

    @Diet-Orange-Soda: Amen to that. If anything, I’m over-obsessive about checking my applications for this kind of stuff — I’ll go over and over it, trying to mess with query string parameters, or tweaking with form data to try to access stuff I shouldn’t be able to. Unfortunately, not all developers are so aware of such things :(

  39. Rectilinear Propagation says:

    If you fall for such an obvious phishing scam as that in this day and age, you deserve what you get.

    @FreeMarketGravy: WRONG.

  40. YourFuzzyGod says:

    @everyone: Sorry for my pathetic use of the comment system.

  41. unklegwar says:

    @Diet-Orange-Soda: This is what you get when you hire untrained hacks to do your programming. There’s a reason some of us went to school. 6 months of ComputerSchool.com does not a good programmer (designer, engineer) make.

  42. unklegwar says:

    @rmz: Sometimes it’s not the programmer, but the manager/designer, granted.

    I brought a similar loophole to my management when we did a file pickup application. At least they listened when I said “hey, anyone can guess their way into someone else’s download”.

    Not every manager listens. And then, not every coder notices.

  43. yourbffjill says:

    @FreeMarketGravy: You can’t be serious. Buying something in Target is completely different from ordering something in the privacy of your own home. I might buy something online that I’m uncomfortable buying in a busy store. Also, just because a couple of people (probably strangers) see what I’m buying does not necessarily mean I’d like to turn around and actively broadcast it to them. I don’t give them my name and address once I’ve caught them eyeing my new Playstation. (By the way… thanks, Best Buy, for telling some local crook that I just bought a new Mac Book and a $4000 home theater system, and thanks for giving him my address.)

    Beacon’s real issue (for me, at least) was mostly their ridiculously shady opt out/opt in mechanism, but it was totally exacerbated by the fact that it was released close to Christmas without announcement. I particularly don’t like people to know what I’m purchasing during gift-giving seasons, and I was one of many who discovered one of their gifts after seeing it listed on Facebook. I know this is not the same as the Best Buy issue, but it’s still an example of why I don’t necessarily want everyone to know what I’m buying.

    And this was sort of mentioned earlier, but how easy would it be to set up a miner to increment through those URLs, record people’s names and addresses and what they bought, and then target them with ads based on their purchases? I might not care if my friends or people in my checkout lane know what I’m buying, but I DO care if it’s sitting out in the open somewhere for some questionable set of companies to mine. I let Safeway track my purchases on my grocery card, but I would never want them to list those purchases on a website with my name and address.

  44. Justin42 says:

    Yeah, none of my Best Buy emails with “Click here if you can’t see the email” are working at this moment so hopefully they’re working on it..?

  45. wellfleet says:

    This has been a known issue for two years. This can also be done with The Work Number, and other similar strings.

  46. Smashville says:

    I could go through those til I found someone with a Wii…and figure out where to steal it from…

  47. gomakemeasandwich says:

    Even for Worst Buy, this is bad. You can do this with off brand porn sites, but one of the biggest retailers in the US? Wow.