[Warning] Strawberrynet Leaks Full Name, Address & Phone Number by Entering Any Email Address

neil on 19/08/2016 - 20:46
Last edited 19/08/2016 - 23:36

This is bad. From Troy Hunt's Blog(an Australian security guy). Unlike other security issues, Strawberrynet considers this a feature and is not fixing it.

  • Go to Strawberrynet.com.
  • Add any product to your basket
  • Hit Checkout
  • Enter any email address at the checkout.

I tried with my wife's email address and was presented with a full name, full address and mobile phone number. Ridiculous.

Image screenshots via Troy Hunt:

image1image2

You can contact them to delete your data or I suppose you could just change all your details within the account to fake details.

Update: Strawberrynet has Tweeted:

We hear your concerns about data leakage. To address this, we welcome you to email [email protected] to request your address be hidden.

General Discussion

Related Stores

StrawberryNET
StrawberryNET

Comments

  • scrimshaw on 19/08/2016 - 20:56
    +1

    Known flaw since 10 years ago and they still haven't fixed it.

    https://forums.whirlpool.net.au/forum-replies.cfm?t=578654

    • neil on 19/08/2016 - 21:45
      +21

      You don't think entering an email address and getting someones full address, name and phone number is a security issue? Wow.

      How about stalkers, ex-gf/bfs or people who list their emails on classifieds (including on OzBargain)/social media etc?

      • namanuu on 19/08/2016 - 22:31
        -2

        In sweden you can find out just about all you want with a first name and a general area or with a phone number etc etc

    • Praeto on 19/08/2016 - 23:09
      +10

      If you don't think anything can be done with those details, you're simply not thinking it through.

      • Full Name
      • Email Address
      • Phone Number
      • Knowledge that they shop at a particular site.

      The most obvious option is spear phishing. You have more than enough personal details to make a legitimate looking email, and you know at least one site that they shop at. Ask them to visit a site with your malicious code, and gain access to their machine. Alternatively tell them that a forced password reset is happening, and get them to enter a new password. Try that email / password combination on other sites etc. Look them up on social media and find a birthday.. Every time I call my ISP or bank they check it's me by asking for D.O.B, full name and address..

      If you honestly can't see why this is a problem, feel free to post your full name, address, phone and email in the thread. Nothing to worry about right?

      • [Deactivated] on 21/08/2016 - 15:24
        -3

        What a load of crap.

        If that's going to happen then there could be spear phishing through various other means. It's the same as any other phishing through any site. They can gain that information through any means.

        I'm not sure why you got so many upvotes for something so obvious that isn't going to happen. It's no different to the other methods out there.

        You mention extra information like DOB but that isn't been leaked. You put a strawman argument up that isn't even relevant.

        You are totally wrong about it and are causing a fuss just like Troy.

        I wouldn't be surprised if he is billing his clients extra for such a trivial matters (i.e. find a flaw and get bonus). There are good Information Security specialists and then there are the dodgy ones.

        • Praeto on 21/08/2016 - 21:49

          I do this for a living. My job involves delivering services to help people that have suffered identity theft, as well as other computer security related work. What I described isn't some edge case or rare event, it's extremely common.

          During penetration testing we frequently look up details for people that you would consider very private information to help us with attacks. The information is available from a number of subscription services that use vulnerabilities like this to gather as much as they can and then sell it.

          If we're testing a particular company, we look up all the email addresses available for their domain, see where those emails show up (in this case StrawberryNet), try spear phishing etc. in general, if your email address shows up in a major leak like LinkedIn for example (180 million people), your email address is already being tested on every site out there. 85% of the passwords used for LinkedIn are already cracked. So if you throw the list of those emails at StrawberryNet, you can match the accounts with private details, and you've already got a password to try from the LinkedIn hack.

          In short. I respectfully disagree. You're incorrect.

      • [Deactivated] on 21/08/2016 - 15:31
        -3

        I'm surprised the Ozbargain community doesn't really think about whether the information provided is of material use or not.

        I do know from the paranoia from people wanting freebies but putting fake names and address and phone number. That people really believe that this information is useful. Frankly it's just absurd.

        This is why we get these comments that are biased in the manner that they are on this forum.

        Does it really matter if someone has your name, address, phone number, and email address. Nothing else, zilch, no extra information. That's all out there from legit ebay purchases which are easily sold to spammers. Ever wondered why you get JD spam after you do a legit purchase??? If one is going to get phished through one of the other channels, then they aren't going to be safe anyway.

        Removing this information from the web isn't going to help anyone at all. People need to think about ways to make that information irrelevant or materially useless. It is not the other way around. Protecting the information isn't going to help anyone because sooner or later there will be other means by which they are going to get owned by a hacker.

        Use your heads. Don't blindly read and accept someone's written biased argument.

        • Praeto on 21/08/2016 - 22:56

          I'm only biased because I deal with people who have suffered identity theft every day, and I see what they have to go through during the 6 - 12 months it takes to resolve all the issues that accompany it. My only goal is to highlight the very real risks people face when their identity is stolen or their data is leaked / sold.

          I get that to people that don't understand, or don't see this stuff daily, that it probably sounds like FUD. It isn't. In Australia identity theft costs consumers about 1.7 billion per year. In the US,it's closer to 20 billion. Doing what you can to reduce your risk of being a victim is common sense.

    • RobMel on 20/08/2016 - 05:45
      +1

      This is leaking of personal identifiable information (PII).
      I am sure at least in some countries that is an offence.
      It is definitely a serious issues and could be misused by stalkers at the very least.

    • 4892 on 21/08/2016 - 22:59

      lol do you work for the company? A beatup?

  • supnigs super skids on 19/08/2016 - 22:00
    -4

    If you think this is dangerous, what do you think about the white pages? . It lists just about everyone.

    • neil on 19/08/2016 - 22:17
      +4

      When you have a phone line, you opt out of being listed in the phone book AND also it doesn't list your email address. When you shop online, there is an expectation that your details aren't made public. There is NO opt out of sharing this information.

      Again, let's say in the extreme cases of stalkers, ex-partners or those who are trying to maintain their privacy by not listing their number, their information is now exposed on a website.

      EDIT:
      Many people use similar usernames to email addresses. Sites like Whirlpool, list users email addresses. So it's not a stretch for someone who is angry at someones online comments or has been threatened (has happened a few times on OzBargain) to get this information.

      See this tweet as an example.

      • supnigs super skids on 20/08/2016 - 17:21

        But if you never used that online website to order you won't have an issue though.

        Also can't you just remove your account? Isn't that the same as an opt out?

        • neil on 20/08/2016 - 17:43
          +1

          When you sign up to a phone line, there is an option to make your phone number private so it isn't listed in the phone book.

          When you purchase something with StrawberryNet there is NO notification or mention that your email address will leak your personal information. That's the problem.

  • ozhunter on 20/08/2016 - 01:07
    +7

    Update: Strawberrynet(twitter.com) has Tweeted:

    We hear your concerns about data leakage. To address this, we welcome you to email [email protected] to request your address be hidden.

    Lol, they can't just hide it by default?

  • tight-ass on 20/08/2016 - 15:42
    +1

    That's crazy!!!

    I would suggest that everyone (even if you've never used their website) bombard them telling them to change this so called 'feature' via their 'contact us' online form - https://au.strawberrynet.com/customer-service/contact-detail…

    Or via their email address - [email protected]

  • easternculture on 20/08/2016 - 16:03

    i think its been fixed

    • neil on 20/08/2016 - 16:10
      +3

      Nope, still showing details with an email.

      • BargainShopaholic on 06/09/2016 - 13:52

        Yep, still showing, I just tried my old email address :(

  • tight-ass on 20/08/2016 - 16:20

    Just got a response to my email.

    "Please provide us with your e-mail address used to place orders with us so we can be of assistance and request for our relevant team to hide your details"

    They really haven't got a clue and obviously think it's perfectly acceptable that anyone can access someones full name, address and phone number simply by having that persons email address.

    • [Deactivated] on 21/08/2016 - 15:37
      -5

      If you think about it, if you have a person's email address, you most likely already have that other information about the person. It wouldn't be a far shot to check in other publicly available databases and put all that information together.

      If a bot farmed that email address, they most likely farmed other information with it too…

      I don't kwow why this Troy guy blew it up but it seems like a cheap shot because protecting this information doesn't really protect the clients at all.

      People aren't using their common sense. Seriously everyone here has bought something from eBay or online. Even the postman and every intermeditary has that information. It's whether you trust those parties with the information, but it doesn't really matter. The attack surface might have increased, but it really isn't relevant when you cannot do that much with the information.

      When people state it increases the likelihood of being phished. I think it is a bunch of baloney. It's not even a high value target. People overreport how significant they are to attackers when in fact they aren't even likely to be a target.

      • tight-ass on 21/08/2016 - 18:09
        +2

        Of course everyone's information is out there, however it usually is not and should not be available to be accessed with such ease….that's the issue.

        Plenty of people would be aware of what my email address is, it isn't hard to come across someone's email, however not many people would have all my other personal information, especially strangers on the web.

        Having this sort of information so easily accessible in the public domain is just asking for trouble. Why make it so easy for those who choose to undertake fraudulent activities with it.

        You obviously think they can't do much with this information, but I disagree. Even if they can't do much with this information, it all adds up. If every website was this lax with customers information we would all be screwed.

      • Praeto on 21/08/2016 - 23:09

        You talk about bots collecting data, and that if people have your email address then the other information is probably able to be found.. While completely ignoring the fact that vulnerabilities like the one described here, are exactly the reason why that is true. You're completely correct that bots are collating that information from multiple sources, but doesn't that make it more important for us to identify those sources and shut them down?

        You talk about the fact that people you trust have this information, like there isn't a difference between sharing the data with someone you CHOOSE to share it with, and it being made publicly available globally. You state yourself that it "increases the attack surface", but then say it doesn't matter.. This makes no sense.

        You also talk about not being a high value target, which is quite simply not how these attacks work. There isn't some guy sitting in Romania, working his way through a list of prioritised targets, writing personalised phishing emails for each one. Instead, they get a huge list of emails like those from the LinkedIn or Adobe hacks. They automatically try the emails on different sites, and see which ones come back as having a live account. They then know which emails are in use on which sites. During this process, they might gather some more details about you from sites like StrawberryNet like name, phone, address etc (all automatically). They then do a massive mail merge to all the people whose account was live on XXXXX.com with a realistic looking email, with personal details that were leaked or scraped from other sites. They don't need everyone to respond, just some people. They put almost no effort in, so it's a huge return on investment. The site you click on might infect you with something, or trick you into gathering information etc. You're just 1 target in a million. There is no priority list.

  • neil on 23/08/2016 - 00:40
    +2

    It's made The Register. I've pinged a reporter at News Corp (and also an OzBargainer) so we'll see if any of the Australian papers pick it up. I've heard the affiliates have also been contacting the company.

    Unfortunately, if StrawberryNet aren't going to fix it, this is just promoting how to find someones info! Hopefully the company will disable it entirely.

    • tight-ass on 23/08/2016 - 20:28

      I got another email from Strawberrynet today, this time from a manager - below was their response

      We do however understand your view, and as we have an account management system that is protected by password, we will make it clearer on our site upon registration that this option is available.

      Thank you again for your communication.
      Kind Regards,

      Kenny Ting | Customer Services Manager
      www.StrawberryNET.com

      How am I doing? Email my supervisor [email protected]

  • patches on 23/08/2016 - 20:48
    +4

    So it turns out [email protected] has an account you can order things with.
    1. Add items to cart using "Buy now" buttons.
    2. Go to Cart by clicking on "Bag".
    3. Enter [email protected] in the field in the Checkout section and hit the "Checkout" button.
    4. For Payment Type, select UnionPay and hit Pay Now.
    5. Congratulations, you have just lodged an order! It won't get processed unless they receive a UnionPay transaction, but you can take down the order number and shout at them for how terrible their data security is.

  • conio on 23/08/2016 - 21:27

    Office of the Australian Information Commissioner ? should be interested in this i would think ?

    whats next ? First person to get a "high profile" address and details wins ?

  • Lord Fart Bucket on 24/08/2016 - 12:41
    +2

    Is this sufficient to ban the entire domain/shop from having any deals posted here (until it's fixed)?

  • cre8iveguy on 24/08/2016 - 21:37

    I understand its a Hong Kong company so it should be in the power of these guys - www.pcpd.org.hk

  • lainey13 on 28/08/2016 - 15:34

    Wow… a great way to horrify my security manager thanks!

  • ronnknee on 29/08/2016 - 13:39

    Could this post be a prime example of Streisand_effect?

  • neil on 09/09/2016 - 17:17
    +1

    Just tested it again today and it's been fixed. Good result but long overdue.

  • neil on 07/10/2016 - 00:02

    No idea why but they have again opened up this ability. Perhaps they thought it would blow over and no one would notice.

  • crayner on 04/05/2017 - 12:36

    This is still a problem today, it hasn't been fixed. I'm sending them a message attempting to get my partner's account deleted because of it.
    I note that "[email protected]" returns the following:

    Fix Your
    Email
    Fix your email login, Fix your email login, Fix your email login, Netivot, 8771102, Israel
    Daytime Contact Number: 050-8841658 ; Mobile: 050-8841658

    Back in August 2016 they agreed to change this but haven't done so.
    https://twitter.com/strawberrynet/status/766593974517829632

    @Strawberrynet - 9:13 PM - 19 Aug 2016 - We are going to change our login system soon. Meanwhile, users can still enjoy our express checkout. Stay tuned!

Login or Join to leave a comment
Login Join