Gumtree site code made personal data of users and sellers publicly accessible

Security researchers have discovered that data belonging to customers of online marketplace Gumtree may have been leaked through the site's HTML code.

User data such as GPS location, full names, email addresses, and postcodes of users and sellers, could all be accessed through the site's publicly accessible site code, according to researchers from Pen Test Partners.

Simply opening up the HTML code of the website using a tool like Google Chrome's 'inspect element' was all that was required to view the information in question.

Pen Test Partners said the site "was super leaky" and that every listing on Gumtree would include the seller's postcode or GPS coordinates, even if the seller requested their location to be hidden.

Gumtree's website operates on a first name basis - users and sellers only ever see each other's first names and use a private messaging service built into the site for communication, avoiding emails.

But email addresses were visible in the HTML code and user surnames could also be viewed by exploiting an insecure direct object references (IDOR) vulnerability. The vulnerability was found in an API used exclusively for iOS users, Pen Test Partners said, and one of its endpoints was vulnerable to a simple unauthenticated IDOR attack.

IDOR attacks can be carried out in a number of ways, but commonly attackers can cross-reference account IDs with a website's backend database and pull personal information using it. They can then modify the ID to pull data from other user accounts too.

Before publicly disclosing the leak this week, Pen Test Partners attempted to alert Gumtree via its third-party bug bounty programme. Run by Netherlands-based Zerocopter, the bug bounty programme required researchers to sign a non-disclosure agreement (NDA) as part of the submission, something the researchers were reluctant to do. Instead, they decided to alert Gumtree directly through its customer service team.

Gumtree has since fixed the issues causing the information leak and said it self-reported to the Information Commissioner's Office (ICO).

"People have the right to expect that organisations will handle their personal information securely and responsibly," said an ICO spokesperson to IT Pro. "If an individual has concerns about how their data has been handled, they should raise it with the organisation first, then report them to us if they are not satisfied with the response.

"Gumtree made us aware of an incident. After carefully reviewing the information, we decided no formal action was required and we provided data protection advice to the organisation."

Gumtree told IT Pro it remediated the issues raised by Pen Test Partners "within hours" of being made aware of them and all issues with the website, both with the iOS API and other backend code are fully resolved.

"In response to these issues, we reported the incident to the Information Commissioner’s Office (ICO) outlining our actions already taken, and planned, to monitor the issue," it said.

"These included fixing the vulnerabilities, updating our safety messaging on site and mitigating against future issues. We did not notify our users and are confident that our response to the reported issues was timely, appropriate and proportionate. We have communicated proactively with the regulator as these issues came to light and as we were taking remedial actions. We will take any appropriate further action should that be required."