Most gaping security holes are terrible mistakes. But for one major Hong Kong-based online retailer called Strawberrynet, its security shortcomings are a feature.
Like many ecommerce sites, registered users have an option for express checkout. What makes beauty-products website Strawberrynet unique is when it comes to security, the site allows you to sign-in to your private account using only your email address. That’s right, no password required.
“I’ve never seen another site that’s consciously built a feature like this and assumed it must have been an accident when I first saw it,” Hunt told Threatpost. “It’s hard to justify or rationalize this in any way; there’s no technical justification for exposing personal data like this publicly.”
The glaring privacy issues tied to Strawberrynet’s site have been chronicled by Hunt for almost a year. Last August, Hunt got wind of the security snafu. He visited the site and tried to guess email addresses for users. Without much effort, an email address pulled up the billing and delivery address for Strawberrynet users. Data beyond the address included home and mobile phone numbers. Hunt was also allowed to make account changes. No credit card information was exposed.
“Now all I did here was enter a very common female name to @gmail.com and wammo! There’s all her data,” Hunt wrote in his latest blog post on the Strawberrynet saga on Wednesday.
After bringing it to the company’s attention, Hunt was told by Strawberrynet, “Using your e-mail address as your password is sufficient security.”
Hunt’s public pressure on the company forced a change. You can still log onto Stawberrynet.com using just…