For roughly a month, anybody could view Gumtree sellers' locations by simply pressing F12 on their keyboard.
There are good reasons for not wanting to publish your location on the internet.
“One of my neighbours recently tried to sell a TV on Gumtree only for a random person, who hadn’t made prior contact, turned up at his house when he wasn’t at home. The neighbor called me to say that his youngest daughter was in the house and was scared because the guy wouldn’t leave,” Pen Test Partners security researcher Alan Monie said.
British site Gumtree with approx. 1,7 million sellers leaked personally identifiable information (PII) of sellers to other site users. Pen Test Partners revealed that the email addresses, postcodes, GPS locations, and the sellers' surnames were all leaked.
"The site was super leaky. Every advert on the site included the seller's postcode or GPS coordinates – even if the seller requested the map of their location to be hidden. It leaked the sellers' email address, and their full name was available via a simple IDOR vulnerability," Pen Test Partners blog entry reads.
Monie said he could access sensitive sellers' data simply by pressing F12 on his keyboard. F12 opens a "view page source" screen that shows the code generating the particular page. By doing that, Monie could see the HTML code, which leaked the following PII: email address, postcode or GPS coordinates, and the full name of the seller.
"Gumtree was not protecting the location of its sellers or their PII data and was leaking it on every advert. Sending this type of data to a third party is, in my opinion, a clear data breach under UK GDPR laws. Any user could unintentionally access the PII of any seller," Monie said.
He informed Gumtree of the issue on November 16, 2021. The site addressed all problems on December 6, meaning that sellers' PII was exposed at least for a month.
In a written statement to Bleeping Computer, Gumtree said that the issue was resolved "within hours of it being brought to our attention." They reported the problem to the Information Commissioner's Office (ICO). The company said it did not notify its users.
In October, the governor of Missouri threatened to prosecute a local journalist who found some Social Security Numbers in the HTML source of the Department of Elementary and Secondary Education's website.
More from CyberNews:
Subscribe to our newsletter