The DronesForLess.co.uk site was left wide open by its operators, who failed to protect critical parts of its web infrastructure from curious people, as spotted by Alan at secret-bases.co.uk, who told The Register.
We discovered more than 10,000 online purchase receipts had been saved to its web servers without any encryption or even password protection whatsoever – and the sensitive customer details in those receipts were exceptionally easy to access. Even your grandparents could have found it using Internet Explorer.
Details available for world+dog to browse through included names, addresses, phone numbers, email addresses, IP addresses, devices used to connect to the site, details of ordered items, the card issuer (e.g. Visa) and the last 4 digits of credit cards used to pay for goods.
Orders placed by police and military personnel included:
- A purchase of a DJI Phantom 3 quadcopter by a serving Metropolitan Police officer, delivered to the force’s Empress State Building HQ in London, and made with a non-police email address composed of his unit’s very distinctive abbreviation
- A British Army Reserve major who had an £1,100 drone posted to his unit’s HQ
- A member of the Ministry of Defence’s procurement division who bought a DJI Inspire 2, complete with spare battery and accidental damage insurance
- A member of the National Crime Agency, who appeared to have used his ***@nca.x.gsi.gov.uk secure email address to buy a Nikon Coolpix digital camera
It was unclear whether these purchases were for personal or governmental use.
Other orders seen by The Reg include ones placed by: staff from privatised defence research firm Qinetiq; the UK’s Defence Science and Technology Laboratory’s radar R&D base at Portsdown Hill; the Brit Army’s Infantry Trials and Development Unit; UK police forces up and down the country; local councils; governmental agencies; and thousands more orders placed by private individuals.