Cybersecurity: Trustpilot data exposure incident

By Tobias Sjölin, Project Director

In the spring of 2020, we got a notification from Bugcrowd that someone had found a security vulnerability and was requesting their bug bounty. The security of our customers that use our site daily is the top priority for us, so we immediately got to work assessing the impact and how to solve the issue.

At Boozt we live and work by the fail-fast mentality. It’s better to quickly get your mistakes out in the open so you don’t need to deal with them later on when they tend to be bigger and messier. This mentality is also why we use the bug bounty program through the Bugcrowd platform. We’re tapping into the competence of the hacker community to improve our cybersecurity and make sure that we always spot our mistakes — fast!

A notification from Bugcrowd was submitted that confirmed and triaged an issue with our customer data. Our Trustpilot pages were exposing emails and location of our customers who left reviews through the Trustpilot site. For the Booztlet site, the issue was out in the public as almost every page visit is doing an ajax call to /xx/xx/trustpilot. For Boozt it was not visible since we don’t do ajax calls to /xx/xx/trustpilot. With this being said — anyone who would discover the leak on Booztlet could easily apply it for Boozt as well. On top of that, it was possible to POST an offset variable to the same Trustpilot URI, which meant that it was trivial to enumerate and fetch the data for all the customers.

Finding the root of the problem

The cause of the issue was 2 changes that were deployed 6 years apart from each other. We initially added a functionality for fetching Trustpilot reviews using the SELECT * FROM … query, but because the fields were selectively being rendered in the PHP templates the data was not exposed. When the Trustpilot pages were refactored to React we started sending the result of that query to the frontend, but we didn’t verify that they didn’t contain sensitive information.

Once we were alerted about the security issue we had to investigate the impact on the webshops and if any damage was done that could hurt our customers. Luckily we could determine that no personal data had ended up in the wrong hands. To ensure this we looked at the load balancer access logs for Boozt and Booztlet.

Boozt

We looked at Boozt first because the potential fallout there is bigger, but also because it was easier to determine if the vulnerability had actually been abused. This is due to the fact that the vulnerability consists in issuing a POST request to the vulnerable endpoint, but this request isn’t used/sent on Boozt. From the logs we determined that no one had tried to access this on Boozt, meaning no leakage of data there.

Booztlet

On Booztlet it’s trickier to determine if something happened. This is because part of the vulnerability lies in a parameter accepted by the endpoint, but is transferred in the POST body of the request.

We started by filtering the logs down to all requests to the vulnerable endpoint. Next, we exported the requests with type POST to analyse them for problems. Because the page displaying the Trustpilot reviews does a request when you land on the page, we can ignore POST requests following a GET request to the same page. Searching through the POST body to match with the request in question we discovered two IP addresses that had accessed the data. By checking with Bugcrowd we could confirm that one represented the security researcher alerting us to the problem. The second one was us when we were replicating the problem. All good!

Once we found the cause of the issue and could confirm that no damage had been caused, we made sure not to make this mistake again. A webshop fix was deployed, removing the sensitive fields from the Trustpilot responses. A good lesson learned is to never have SELECT * FROM in any query in production — always control your data output. Another thing to recognise is to use an external service to monitor security breaches. We are paying bounties for developers to find these and it is worth all the money to not expose this data.