Online clothing store Witchery lets customers view - and edit! - each other's personal information

Filed Under: Data loss, Featured, Mobile, Privacy, Uncategorized

Australian news site news.com.au has reported a rather worrying problem with the mobile website of Aussie clothing brand Witchery.

According to News Limited journalist Sarah Michael, customers visiting Witchery's mobile site were able to retrieve - and even to edit - the personal information of other customers via a feature called "track my order."

Customers could also view every order currently being processed, not just their own.

The good news is that a spokesperson for Country Road, the company that owns the Witchery brand, has gone on the record to say that no credit card information was exposed.

That's a relief, because Witchery's mobile site proudly boasts:

Card-free membership - make your wallet that bit lighter - your card number is stored in the app!

The bad news, of course, is that your credit card is one of the few aspects of your PII (Personally Identifiable Information) you can change fairly easily.

You also enjoy some statutory protections against fraud and abuse of your card, notably that you will probably get your money back if someone rips you off.

Things like the combination of your name and address are much harder to change if you think they have fallen into the wrong hands.

There's no suggestion that Witchery's regular website suffered from the same problem, and this wouldn't be the first time that the security of a company's mobile offering was found to be lower than its full-sized counterparts.

For example, when Facebook finally announced "HTTPS everywhere" in late 2012 - a move in which Naked Security likes to think it played a modest part - it had to admit that it was still working with mobile phone vendors to bring the same privacy and security benefits to mobile users.

Likewise, in Apple's world, apps approved for sale in the App Store have been found not only to grab hold of your contact data without proper permission, but also to upload it to the app's creator using unencrypted HTTP, something that would be considered out of the question for a regular website.

If news.com.au has it right, the Country Road spokesperson described Witchery's problem with the words, "A small problem has been identified by our third party provider and is being fixed."

We're not sure that's quite the right way to put it - describing a leak of customers' PII as "a small problem" isn't merely insensitive, it seems to imply that as long as what's breached doesn't have some immediate financial connection, such as a credit card number or expiry date, it doesn't really count.

You can listen to more about this topic in a recent Sophos podcast, where Chester Wisniewski and I discuss where security is heading in the so-called the Internet of Things:


(Audio player above not working for you? Download to listen offline, or listen on Soundcloud.)

Chester explains that we aren't really looking at an internet of things, but rather at an internet of intimate information about the people who happen to own and use various internet-connected things.

The relevant discussion kicks off at 10'19", but we think you'll enjoy the podcast enough to listen your way there rather than fast-forwarding.

, , , , ,

You might like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog