Jared, Kay Jewelers Parent Fixes Data Leak:
In mid-November 2018, KrebsOnSecurity heard from a Jared customer who found something curious after receiving a receipt via email for a pair of earrings he’d just purchased as a surprise gift for his girlfriend.
Dallas-based Web designer Brandon Sheehy discovered that slightly modifying the link in the confirmation email he received and pasting that into a Web browser revealed another customer’s order, including their name, billing address, shipping address, phone number, email address, items and total amount purchased, delivery date, tracking link, and the last four digits of the customer’s credit card number.
[...] Concerned that his own information was similarly exposed, Sheehy contacted Jared parent company Signet Jewelers and asked them to fix the data exposure. When several weeks passed and Sheehy could still view his information and that of other Jared customers, he reached out to KrebsOnSecurity.
Scott Lancaster, chief information security officer at Signet, said the company did fix the problem for all future orders shortly after receiving a customer’s complaint. But Lancaster said Signet neglected to remedy the data exposure for all past orders until contacted by KrebsOnSecurity.
“When a customer first brought this matter to our attention in early November, we fixed it for all new orders going forward,” Lancaster said. “But we didn’t notice at the time that this applied to all past orders as well as future orders.”
Lancaster said the problem affected only orders made online through jared.com and kay.com, and that the weakness was not present on the sites of the company’s other jewelry brands, such as Zales and Piercing Pagoda.
[...] “Being a Web developer, the only thing I can chalk this up to is complete incompetence, and being very lazy and indifferent to your customers’ data,” he said. “This isn’t novel stuff, it’s basic Web site security.”
(Score: 2) by stretch611 on Tuesday December 04 2018, @09:51AM
Sadly, this is the corporate mentality almost everywhere.
Now with 5 covid vaccine shots/boosters altering my DNA :P
(Score: 0) by Anonymous Coward on Tuesday December 04 2018, @12:34PM (2 children)
that this applied to all past orders as well as future orders."
How the fuck would anybody know anything about future orders?! Crystal ball?
Holy shit the arrogance and negligence are getting unbearable. Time for violence already?
(Score: 2) by MrGuy on Tuesday December 04 2018, @02:43PM (1 child)
My guess from the description of the problem is that the "fix" was changing the "magic link" in the e-mail confirmations (which apparently take you right to the order details with no further authentication) to be a much more obfuscated string as opposed to a simple sequential one, making it harder (but not impossible) to guess a valid order's magic string. So, any new orders would get an obfuscated magic link, making them secure. However, since they didn't change EXISTING magic links, past orders would still be vulnerable.
The correct fix would be to invalidate all the old magic links, send new confirmation e-mails with "new style" magic links to all "old" order holders, and then redirect the old magic links to a static "hey, we changed our links - please look for a new e-mail" page. If they want to keep login-free "magic links" at all....
(Score: 0) by Anonymous Coward on Tuesday December 04 2018, @04:33PM
order info sdhouldn't be available in the clear, without auth and checking that the user is entitled to view the order info. any modern framework would make this stuff obvious. these asshats have some completely original piece of shit, obviously.
(Score: 1, Interesting) by Anonymous Coward on Tuesday December 04 2018, @01:24PM
This is why I assume that anything I put online will eventually get leaked. Security sucks everywhere. What sucks most is when you have to enter sensitive details for your entire life into some online form to get a government background investigation to get a clearance for a job. Oh yeah, of course that was hacked. Thanks US government!
(Score: 3, Interesting) by MrGuy on Tuesday December 04 2018, @02:48PM (3 children)
...I know it's a little off-topic, but I had no idea Jared, Kay, and Zales were all the same company. As an occasional buyer of expensive jewelry, I'm a little surprised that the apparent competition is intra-company (those are the three biggest brands I can think of in the US from an advertising perspective).
From the data I can see on Statista [statista.com] (sorry - semi-paywalled. Happy for an alternate source) Signet controls about a third of the total jewelry market in the US, is twice the size of their nearest competitor, and larger than their next 5 largest competitors combined.
It's always a little surprise to me when a market I think is highly competitive turns out...not to be that at all. I've actually comparison shopped Jared and Kay, and thought afterwards that the price at Kay must be the reasonable market price...
(Score: 0) by Anonymous Coward on Tuesday December 04 2018, @03:38PM
Travel agencies are the same.
(Score: 0) by Anonymous Coward on Tuesday December 04 2018, @04:38PM (1 child)
"As an occasional buyer of expensive jewelry"
and this is why we are losing the war.
(Score: 0) by Anonymous Coward on Tuesday December 04 2018, @05:37PM
So is he. He apparently has a wife who wants him to abort efforts to create family wealth and instead buy her an expensive abrasive.