Sensitive Data Exposure Exposed

January 30. 2014 Dan Bartram

About a week ago, I ordered a product from a company who I normally do not do business with. As expected, I got an email with a link where I could check the status of my order. The link looked something like this:

http://www.companydomain.com/CustomerService/OrderTrackingResult?orderId=243156

I clicked the link and it took me to a page showing the following:

A login was not required, and the <strong>orderId</strong> parameter is just an integer. You can also see the <strong>click here</strong> link at the bottom which goes to a simple form that accepts an Order ID. Of course that just submits a request to the same url as above with the updated query string. I tried a few random order IDs to see what would happen - the site happily showed me order info for any valid order ID I entered. Yes, they were sequentially generated.

Here is another:

I''ve blurred the details, but I was able to see what this customer ordered, the city / state it was being shipped to and even track it using the carrier''s tracking system.
<h2>So What?</h2>
Is this a big deal? Well, it''s certainly not in the same category as the data breaches that have made the news lately. However, in light of those attacks, information leakage is still leakage and is almost always valuable to the right person. The <a title="OWASP Top Ten" href="https://www.owasp.org/index.php/OWASP_Top_Ten_Project">OWASP Top 10 for 2013</a> includes <a title="OWASP Sensitive Data Exposure" href="https://www.owasp.org/index.php/Top_10_2013-A6-Sensitive_Data_Exposure">Sensitive Data Exposure</a> as item A6, which covers this.

Sensitive Data Exposure is most often concerned with an attacker gaining information which they can use to compromise a site. Common areas of concern include not using SSL and exposing credentials or sending detailed error data to a potential attacker.

However, a competitor of this company could pretty easily collect information about what they were selling, where they were selling it to, and how quickly they filled orders. Even if this company was publicly traded and some of the information could be obtained through quarterly filings, the exposed data is much more granular.
<h2>How Can This Be Fixed?</h2>
There are several ways to fix this problem:
<h3>Require Customers to Login</h3>
This could be an option if all customers were required to create accounts when they place an order. Some businesses opt not to do this, and allow customers to order as guests.
<h3>Stop Using A Guessable Order ID</h3>
Instead of exposing a guessable Order ID, you could either use a GUID as the Order ID or generate one in a separate database column. This might be an option if the schema can be changed on the back end.
<h3>Require A Second Piece of Information</h3>
Probably the easiest and quickest way to fix this would simply require a second piece of information that an attacker would not know, or could not easily guess, but that you already have collected. You could require a last name, an email address, or even the destination Zip code. A determined attacker could easily generate requests with every order and every zip code, but instead of every request being valid, most requests would be invalid, which could be detected by other means. This is a trade-off between locking down the data completely or just making it harder to obtain.', 'Sensitive Data Exposure Exposed', 0, 'Sensitive Data Exposure is one of the OWASP Top 10 Vulnerabilities and even seemingly benign data can be valuable to the right person. In this article, I discuss a real case in which order data for a companies customers can be mined for insight into the business.', 'publish', 'open', 'open', '', 'sensitive-data-exposure-exposed', '', '', '2014-02-07 10:56:19', '2014-02-07 14:56:19', '', 0, 'http://www.danbartram.com/?p=340', 0, 'post', '', 0, NULL),