Christie’s website bug exposed collectors’ locations


A flaw in Christie’s auction house website allowed the downloading of info about items for sale, revealing the exact location of where the objects were stored, researchers claim.

A simple insecure direct object reference (IDOR) vulnerability may have put billions of dollars worth of valuables at risk, researchers at cybersecurity firm Zentrust Partners claim.

The problem lies within the process of appraisal of goods that consigners want to sell. To do so, they need to upload at least three photos of the item that’s put up for sale on the Christie’s house website.

ADVERTISEMENT

However, researchers discovered that the website allowed anyone to download the photos of the items. All a potential attacker needed to know was the URL of the photo.

“However, the URLs were always structured according to the same scheme using consecutive numbers, making them predictable. To download all available sellers’ photos, an attacker had to try all possible combinations of numbers systematically – a matter of seconds for computers,” reads the blog post.

According to the researchers, some photos contained metadata with exact coordinates of where the pictures were taken, revealing the precise location of items’ storage locations.

The issue is somewhat amplified by the fact that Christie’s allows its clients not to reveal their identity to sell something, indicating that some sellers greatly value their privacy.

Researchers claim that despite being contacted about the vulnerability, Christie’s ignored the bug for over two months, fixing the issue only after the auction was approached by the press.

“Christie’s just didn’t fix the problem. So, we wrote to Christie’s again and offered to discuss the issue again. At the same time, we referred to the duty, under data protection law, to act immediately in the interest of those affected,” the researchers said.

ADVERTISEMENT