A Security Researcher named Monie has recently confirmed a British classified site Gumtree.com has suffered a recent data leak after the researcher revealed that he could access sensitive personally identifiable data of advertisers simply by pressing F12 on the keyboard. When pressing the F12 key in a web browser, the application will allow you to open the developer tools console, this then takes you to view a websites source code, monitor network requests, and view error messages produced by the website.
Gumtree.com is a British based site used for online classified advertisement and is one of the top 30 websites in the UK which receives millions of visitors each day. As there are many visitors of this site, this data leak may have impacted upon large numbers of advertisers across the UK.
The security researcher Alan Monie disclosed that he could see the PII of sellers simply by viewing the HTML source code of advertisers shown on Gumtree. Mr Monie also shared the information he was accessible to view, he mentioned how “the site was super leaky” and how every advert on Gumtree included the sellers postcode or GPS coordinates even in cases were sellers required their location to be hidden. The sellers email address, full name were available through a simple ‘IDOR vulnerability’ (insecure direct object references) stated by Monie.
Monie found that the HTML source was leaking information for registered advertisers such as:
- Full name
- Account registration date
- Account type
- Postcode or GPS coordinates
- Email addresses
Gumtree’s site also features an API exclusively used by the Gumtree app on IOS. One of the API’s endpoints was exposed to a IDOR attack, this resulted in yet another data leak including again full names and other account information. Monie can confirm that the data incident was discovered on November 11th 2021. He also explained how he had informed Gumtree of the issue, who then partially fixed the problem on 16th November 2021. Gumtree finally addressed all problems on December 6th 2021 after multiple messages from the security researcher. However, what was also noted was how sellers on Gumtree had their PII exposed for almost a month as Gumtree did not address all problems at once.
The defendant (Gumtree) has responded regarding the data breach and have admitted liability, they also noted that “We did not notify our users and are confident that our response to the reported issues was timely, appropriate and proportionate” , in addition to this they have stated that they have informed the ICO of the data breach. What is unknown is how many people have been affected by this, Gumtree users are advised to remain vigilant and treat all incoming communications with caution. The consequences of such data exposed are substantial, as those that have experienced information exposure could suffer from targeted data breaches.
The defendant has declared that the personal information of sellers was only visible for hours yet the security researcher has declared that all issues regarding the data leak was not completed until nearly a month after the leak. Therefore, it is questionable how long Gumtree’s seller’s personal information was accessible for. This data breach is a matter in which High Street Solicitors can review on your behalf on a no win no fee basis. If you or someone you know require our assistance in this matter please do not hesitate to contact us to pursue a potential data breach claim.