Developer Michael Lynch filed an RMA with the used storage vendor goHardDrive (GHD), and in the process, accidentally discovered that the company is leaking customer details through an insecure RMA status check portal. According to his blog post, you can check the status of any GHD RMA through ghdwebapps.com/rma by inputting the RMA number, which is in this format: GHD00000. This will then pull up a sheet that outlines the customer’s details, like name, mailing address, email address, phone number, order number and date, and the products to be returned, plus the reason for the return.
All this information would not be an issue if the form were private. However, anyone can input any valid RMA number, and the website will return all this information without any authentication that you own the RMA. GHD also used the following URL to show all that data: https://ghdwebapps.com/rma/check?rmaNo=GHD12345&fromButton=1.
Because of that, almost anyone can easily write a script to crawl through all possible permutations of the GHD’s RMA numbers and compile the details of its customers. Even if you don’t know how to program and don’t know how to use AI to ask it to make one for you, you can easily just type in RMA numbers on the website and manually collate private information.
Lynch emailed the company when he discovered the leak, and GHD responded within two hours, saying that it would fix the issue within three to five business days. Although GHD did not update him (Lynch had to follow up with the company on what was being done), it added two more entries you must input to reveal customer information — ZIP code and house number. While this might seem enough for the average user, this is rather easy picking for a determined hacker.
There are about 42,000 valid ZIP codes in the U.S., plus house numbers are commonly between zero to a hundred — that means you need to try 4.2 million possible permutations for each RMA number to get a valid result. This might seem like a large number, but Lynch says, “Optimizing by common ZIP codes and house numbers probably means the attacker has >50% chance of success after about 50k guesses.”
This is still a huge number if you do this manually. But the prevalence of data servers makes brute forcing anything so much cheaper nowadays. One security researcher spent $0.30 per hour, which achieves 40,000 checks per second. So, if you were to use that service, it’s plausible to get one valid result every three seconds.
Because of this, GHD decided to eliminate the RMA status page entirely — it now asks its customers to email them for status updates. Lynch asked if the company offered a bug bounty for discoveries like this, but, unfortunately, the company said that they do not have a program like that. Nevertheless, they offered him a $20 refund on his $330 purchase as a way of saying thank you. Note that awards from bug bounty programs that capture vulnerabilities like this range from hundreds to thousands of dollars, especially as it could potentially save a company from penalties that can hit millions of dollars.
Follow Tom’s Hardware on Google News to get our up-to-date news, analysis, and reviews in your feeds. Make sure to click the Follow button.
