UK online used goods bazaar Gumtree exposed its users’ home addresses in the source code of its webpages, and then tried to squirm out of a bug bounty after infosec bods alerted it to the flaw.
British company Pen Test Partners (PTP) spotted the data leakage, which meant anyone could view a Gumtree user’s name and location (either postcode or GPS coordinates) by pressing F12 in their web browser.
In both Firefox and Chrome, F12 opens the “view page source” developer tools screen, showing the code that generates the webpage you see. This meant that anyone could view the precise location of any of the site’s 1.7 million monthly sellers.
PTP claimed it encountered a brick wall of indifference in its first attempts to alert Gumtree to the data breach.
The bug bounty policy specified €500-€5,000, PTP added, and “after the issue was fixed, [it was] informed that no reward was payable because – ‘This is a Responsible Disclosure report, meaning that receiving a reward is a bonus in itself.'”
In a blog post about the kerfuffle, a PTP rsearcher said: “After I queried which of their rules I’d broken on responsible disclosure, they changed their mind and paid the minimum.”