A simple tweak to a web address was all it took to peer into someone else’s Express order.
The retailer recently patched a flaw in its website that exposed customer data through its order confirmation pages. The issue stemmed from the way Express generated sequential order IDs embedded in URLs, which allowed unauthorized access to personal details such as names, contact information, shipping addresses, and partial payment data.
The vulnerability, discovered by a security researcher, did not require advanced hacking techniques, only knowledge of how the URLs were structured.
From a fraudulent transaction investigation to uncovering a bigger problem
While many similar data exposures like this often get noticed through abnormal activity within the company’s networks, this one was spotted differently.
According to TechCrunch, the flaw was accidentally discovered by a security researcher and privacy advocate, Rey Bango. He noticed the issue while investigating a fraudulent transaction on his family member’s Express account, which was carried out using the account’s unique order number.
Bango, in his statement to TechCrunch, said:
“When I tried to look up if the order number was a legitimately formatted Express order number using Google, I saw a link to another order, and someone else’s order information came up!”
Normally, information like this is meant to be behind a properly authenticated page, locked away from even other Express users. But in this case, anyone who can tweak the web address for Express’ order confirmations can view almost everything the customer entered during checkout.
And with the right web automation tool? They can do this at scale. This is possible because Express assigns order numbers sequentially and adds them to the web address of its confirmation page. While not inherently a bug, it’s a dangerous practice.
The exposure included customer information such as:
- Names
- Phone numbers
- Email addresses
- Postal billing and delivery addresses
- Order information: the purchased item
- Partial card information, with its last four digits
Retailer response
Speaking to TechCrunch, Joe Berean, head of Marketing at Express, confirmed they are aware of the incident and have patched it.
“Upon becoming aware of this issue, we investigated and continue to review the matter and have no further comment at this time,” Berean said.
In the same statement, Berean expressed the company’s stance on customer data, saying:
“We take the security and privacy of customer information seriously and encourage anyone who identifies a potential security concern to contact us directly.”
However, TechCrunch has noted that requests for comment regarding the legal disclosure of the incident have gone unanswered.
Additionally, even as the company asks users to contact it about any security concerns, it has not updated its website to make that easy. Bango was only able to report his observation through TechCrunch, highlighting the friction anyone who currently wants to report a security issue may face.
What happens now?
As of this reporting, the company hasn’t notified users who might have been affected, and as per TechCrunch, has answered no further questions. But it did say its investigations are ongoing, which may suggest that, once it’s done with that, affected customers can be notified, along with a notice sent to state attorneys general.
However, that depends entirely on Express and how it structures its timeline.
Since the report didn’t specify how long that flaw had been up, anyone who’s used Express before should stay vigilant against phishing attempts and monitor for identity theft.
For a related look at how hidden vulnerabilities can open the door to larger threats, check out this report on malicious WordPress plugins planting backdoors across sites.
