Image: Larry Hachucka/Creative Commons
A clothing retailer patched a website flaw that exposed customer data via order links, highlighting risks associated with predictable URL structures.
A simple tweak to a web address was all it took to peer into someone else’s Express order.
The retailer recently patched a flaw in its website that exposed customer data through its order confirmation pages. The issue stemmed from the way Express generated sequential order IDs embedded in URLs, which allowed unauthorized access to personal details such as names, contact information, shipping addresses, and partial payment data.
The vulnerability, discovered by a security researcher, did not require advanced hacking techniques, only knowledge of how the URLs were structured.
While many similar data exposures like this often get noticed through abnormal activity within the company’s networks, this one was spotted differently.
According to TechCrunch, the flaw was accidentally discovered by a security researcher and privacy advocate, Rey Bango. He noticed the issue while investigating a fraudulent transaction on his family member’s Express account, which was carried out using the account’s unique order number.
Bango, in his statement to TechCrunch, said:
“When I tried to look up if the order number was a legitimately formatted Express order number using Google, I saw a link to another order, and someone else’s order information came up!”
Normally, information like this is meant to be behind a properly authenticated page, locked away from even other Express users. But in this case, anyone who can tweak the web address for Express’ order confirmations can view almost everything the customer entered during checkout.
And with the right web automation tool? They can do this at scale. This is possible because Express assigns order numbers sequentially and adds them to the web address of its confirmation page. While not inherently a bug, it’s a dangerous practice.
The exposure included customer information such as:
Speaking to TechCrunch, Joe Berean, head of Marketing at Express, confirmed they are aware of the incident and have patched it.
“Upon becoming aware of this issue, we investigated and continue to review the matter and have no further comment at this time,” Berean said.
In the same statement, Berean expressed the company’s stance on customer data, saying:
“We take the security and privacy of customer information seriously and encourage anyone who identifies a potential security concern to contact us directly.”
However, TechCrunch has noted that requests for comment regarding the legal disclosure of the incident have gone unanswered.
Additionally, even as the company asks users to contact it about any security concerns, it has not updated its website to make that easy. Bango was only able to report his observation through TechCrunch, highlighting the friction anyone who currently wants to report a security issue may face.
As of this reporting, the company hasn’t notified users who might have been affected, and as per TechCrunch, has answered no further questions. But it did say its investigations are ongoing, which may suggest that, once it’s done with that, affected customers can be notified, along with a notice sent to state attorneys general.
However, that depends entirely on Express and how it structures its timeline.
Since the report didn’t specify how long that flaw had been up, anyone who’s used Express before should stay vigilant against phishing attempts and monitor for identity theft.
For a related look at how hidden vulnerabilities can open the door to larger threats, check out this report on malicious WordPress plugins planting backdoors across sites.
Joseph is a Technical Writer with about 3 years of experience in the industry, also advancing a career in cyber threat intelligence. He is passionate about the responsible use of technology, a passion that led him into cybersecurity. As an undergrad, he leads a novel community of technology enthusiasts at his school, NOUN, where he guides and shares resources for beginners in tech. His writing experience includes writing on a diverse range of topics, from consumer tech to startups and tutorials. Additionally, he periodically shares case studies and research reports on cybersecurity on his social media pages.
