Pen Test Partners: Anyone could view Gumtree users' GPS location by pressing F12

2021-12-15 15:31

UK online used goods bazaar Gumtree exposed its users' home addresses in the source code of its webpages, and then tried to squirm out of a bug bounty after infosec bods alerted it to the flaw.

British company Pen Test Partners spotted the data leakage, which meant anyone could view a Gumtree user's name and location by pressing F12 in their web browser.

PTP claimed it encountered a brick wall of indifference in its first attempts to alert Gumtree to the data breach.

In a statement Gumtree told The Register: "We were made aware by a user of a security issue affecting our website source code in November 2021. This was resolved within hours of it being brought to our attention. After becoming aware of the above, we were subsequently notified of a further issue with our API for iOS devices. This has also been resolved."

Gumtree said it had informed the Information Commissioner's Office and "Planned to monitor the issue", while adding: "We take the privacy of our users very seriously and we are sorry this incident occurred."

Earlier this year an American politician demanded criminal prosecution of a journalist who noticed that pressing F12 while viewing a local state education board's website revealed quite a lot of personal data of teachers.

News URL

https://go.theregister.com/feed/www.theregister.com/2021/12/15/gumtree_data_breach_idor_f12_badness/

#GPS #test