The popular cosmetics online shop Strawberrynet has fell under severe critique from security experts as they have publicly posted information about potential problems in the way the site handles personal information. According to the security expert Troy Hunt, the site uses an insecure policy that exposes the private customer data to malicious users.
Security experts alarm Strawberrynet’s customers
Serious privacy concerns have been raised by the security researcher Troy Hunt who reported a flaw in the site’s security policy. Apparently, if a user uses the quick checkout functionality, then his personal data is stored in a way that allows anyone to access them. Malicious users only need to type in the email addressees of the target victims and their information is displayed. This includes delivery address, names, telephone number and other essential data that are needed to make the purchase.
This type of privacy issue can lead to automated attacks from botnets or other methods of harvesting customer data.
The company has responded that their site utilizes SSL and complies with industry standards for processing the payments. This means that there is no way that the hackers can obtain the credit card numbers of the customers. However, the publicly exposed personal information can be used by malicious users in social engineering or other types of attacks against the individuals themselves.
In response to rising concerns, Strawberrynet has informed their clients that anyone can request their personal data to be hidden from view by emailing the customer support staff.
This issue has been identified in early August 2006, however now it has surfaced to public attention once again. This is another type of feature that indicates that not always options that provide the benefit of easier access and operation should be used when they compromise security. Customer responses have skyrocketed as a lot of users have requested their private details hidden from the public.