29 October 2019

Do Central Group care about customer privacy and data security?

Central Group is a large Thai company with its roots in retail. They own a chain of department stores and grocery stores and have expanded into many other industries over the years.

Like elsewhere in the world, traditional brick-and-mortar retail stores face increasing competition from online retailers, and Central is no different. In the past few years they have invested heavily into online shopping, and according to a Bangkok Post interview with their CEO they aim at being the largest online retailer in Thailand by 2021.

This is an impressive goal.

However, running a large e-commerce site is not only about maximizing sales and collecting money from customers, it also comes with responsibilities such as protecting customer data.

My online PowerBuy shopping experience


One of Central's store brands is called PowerBuy. Their department stores have PowerBuy outlets where you can buy TVs, washing machines, rice cookers, air conditioners, cameras, mobile phones and other household electronics and appliances. They also have a website where they sell the same goods online.

PowerBuy store in a mall


A few days ago, I was shopping around for air conditioners to replace two ten-year-old failing and noisy units. After visiting two nearby stores I decided to try buying them online instead, so I went to PowerBuy's website at www.powerbuy.co.th .

The shopping experience was similar to most other online shopping sites: you select the goods you want to buy, select quantity, and go to checkout.

There was a small hickup at checkout since my initial order combined air conditioners and fans, something their ordering system apparently cannot handle. After removing the fans from the order, I was able to place an order for two air conditioners.

When it was time to pay for my order I was redirected to a third party payment processor that PowerBuy/Central have outsourced their payment processing to. Outsourcing payment processing is probably one of the smartest decisions they could have made for this site.

After completing the payment, I was redirected back to PowerBuy's website where I got an instant order confirmation.

I noticed something interesting: the redirect took me to a page that took a single order number parameter and displayed not only my order but all my contact information: email address, name, billing address, shipping address, etc. The order number itself looked a bit too simple: it consisted of "PWB" followed by today's date, followed by a few additional digits that appeared to be a timestamp.

PowerBuy's order confirmation page



This looked weak, so I sent a Twitter comment to PowerBuy's social media team to alert them that they may have a weakness on their order confirmation page. This looked like something that would expose order and customer data to screenscrapers and bots.

Others chimed in and added another Central group twitter account and commented that they have also noticed similar issues elsewhere on Central owned websites.

Wait, it gets worse...

After not seeing any response at all from PowerBuy or Central after a couple of days, I decided to contact them via email instead. Before doing so I had a second and closer look at the PowerBuy website. What I came across revealed that their data privacy and security issues are a lot worse than I first thought.

When I accessed my customer profile, it showed a list of my orders. The link to the order details for each order is just a URL that ends with a six-digit number. This six-digit number turns out to be the internal order ID from their database, a number that is generated in sequential order in their database as orders come in.

PowerBuy's order summary page. The sequential Order ID in the URL could be used to retrieve any order in their database.


If I incremented the order ID from my order by one I would see the order placed by the customer who made an order right after me, including all their contact details. If I decremented the order ID by one I would see the order someone else placed right before mine.

There was no user authentication in place to ensure people didn't retrieve other people's orders!

This website was wide open to order enumeration: anyone could access any order, regardless of who that order belonged to. While it would be time consuming to traverse all orders manually in a web browser, the way this was implemented made it trivial for anyone to automate order retrieval for a large number of orders by using a few lines of javascript or an off-the-shelf screen scraping tool.

A closer look revealed that the problem was in the GraphQL API endpoint used by their website. It exposes a number of API endpoints, and it didn't validate that the caller was requesting order or customer data belonging to themselves. If you were logged in to the site, you could retrieve anyone's orders, along with shipping and billing address, tax IDs, etc.

If this was in Europe, PowerBuy and Central would probably face a hefty fine for GDPR violations, given that the order confirmation and summary pages includes the customer's shipping address, billing address, email address, phone number, tax ID etc.

Not only did this GraphQL API endpoint expose customer data, it also exposed things that I would expect a retailer would want to keep internal. This included e.g. the credit merchant rates they pay to different local banks when customers pay using credit cards; these rates were sent back to every shopper on their website. Anyone with an F12 key on their keyboard can access this information; hit F12 to open your webbrowser's developer tools and browse away.

Don't blame the techies, this is an organizational failure


Some people may see this as just a bug, an implementation flaw, but I believe it is more of an organizational failure.

How could something so trivially exploitable pass code reviews, QA testing, security reviews, or even the scrutiny of a business analyst? Finding a bug like that in a test environment is understandable, but how did this make it into their production environment? My guess is that none of those processes are in place in their organization. For an outsider, this looks like an organization that has no code reviews, no QA, no security reviews. "If it compiles, ship it!"

How many other similar issues do they have on their websites and mobile apps? Personally, I would be very surprised if this is a single isolated issue.

I sincerely hope that they will not blame this on some low-level [presumably underpaid] techie who did the final implementation. Rather this should be addressed at a higher level as this is an organizational and management failure, followed by a proper security review of all their websites and exposed API endpoints, as well as implementing a way for customers and others to provide feedback to them on privacy and security issues.

Contacting Central Tech, PowerBuy, Central Retail

Since I had received no response to my initial feedback to PowerBuy's twitter account, I decided to try other channels. At first, I sent an email to Central's customer service team, and to Central Tech, the central subsidiary that is in charge of their e-commerce websites.

That email also went unanswered.

I also reached out to someone I used to work with almost 20 years ago whom I know worked for Central Tech recently. He told me that he had left Central Tech a while ago, but he would pass on my findings to them.

In parallel, I started looking for who at Central/PowerBuy may be responsible for their online endeavors. I quickly found the name of their CEO, the same person quoted in the Bangkok Post article I linked to above. However, I wasn't able to find the CEO's email address or any other contact information, so I tried a few different email addresses based on different combinations of his first and last name. None worked.

After a day I decided to try a different channel, I decided to try to send the CEO a LinkedIn message to let him know of my findings. Since he is not one of my LinkedIn contacts, I first had to purchase a "LinkedIn Premium" account so that I could send a message to someone not on my contact list. He replied to my In message within an hour with a brief "Hi Kristofer, thanks so much for this alert. I will follow up. Regards. Nicolò".

I replied and asked for his email address so that I can provide him with steps to reproduce and other details of my findings. That question was not answered, so I still don't have an email address for him or for anyone else at Central, Central Tech, or PowerBuy that I can send additional information to.

At this point, that short message "Hi Kristofer, thanks so much for this alert. I will follow up. Regards. Nicolò" was the only comment I have seen from anyone currently working at Central/PowerBuy/Central Tech regarding this issue.

Later, he replied with a lengthier response and included a contact email address so that I could provide them with more details on my concerns over their shortcomings on protecting customer data.

This again points to a management and organizational issue. Customer service didn't respond to or act on my feedback. Their social media team didn't either. They probably have no escalation path and no means to act on information security related feedback. There is no clear way to contact their tech team besides a generic "info@central.tech" email address that appear to be unmonitored.

The only escalation path that seems to work at this point is by contacting a former Central Tech employee. He has been very helpful though.

Because of how trivial it is to exploit the weaknesses in PowerBuy/Central's website and APIs, I doubt I am the first person to notice this. Others may have noticed it, some may have tried to contact PowerBuy/Central and met the same obstacles in getting in touch with them as I did, yet others may have decided to misuse these weaknesses for bad purposes.

Conclusion


I would have expected PowerBuy/Central to acknowledge the problem and to take immediate action to protect the exposed data. Yet, days later I can't see any signs that they have taken any action to do so. At the time of writing this, the website still allow anyone to view anyone else's order, billing, and shipping information.

Also, why is it so difficult to provide feedback to some organizations on security issues? It wouldn't be that hard for them to have a single "security@central.tech" email alias that could be monitored from time to time, in case someone somewhere decides to notify them about a security issue? Maybe they have an email alias for security issues, but I certainly could not find it published anywhere.

Running a large e-commerce site is not only about maximizing sales and collecting money. It also comes with responsibilities, including protecting customer data.

If Central Group are really committed to becoming the local leader in e-commerce and online retail, perhaps taking security and data privacy issues should be on the daily agenda?

I still don't have an answer to the question I raised in the title of this rant, "Do Central Group care about customer privacy and data security?". I hope they do take these things seriously, that they will work on improving their processes, and I hope they will use this case as a learning experience and improve the way they respond to feedback on security and privacy matters.

(end of rant)


Update: (6 Nov 2019) Today, I met with people from the Central Tech team who assured me that they take security and privacy issues very seriously and that they will work to ensure that they have better security measures in place to reduce the risk of future potential data leaks/exposure. The underlying technical issues that made me concerned about Central Group's ability to protect customer data has been addressed according to the Central Tech team, and the vulnerabilities that got my attention should be closed now.

When I met with Central Tech, I shared some ideas with them on how they can identify and prevent bots and screenscrapers from accessing their websites and APIs, which I hope comes in handy. I also encouraged them to make it easier for customers like myself to report concerns about security and privacy to their team, and to ensure the respective customer service teams knows how to escalate technical issues within their organization. This because it took me several attempts to contact them through different channels before I got a confirmation that they were addressing these concerns.

I hope this write-up can serve as a case study and learning experience both for Central Tech as well as for others who run large e-commerce websites that process PII data.

Timeline:
25 Oct 2019: I placed an order on powerbuy.co.th. When doing so, I noticed a couple of issues that I tried to report to their social media team.
28 Oct 2019: After not hearing back from PowerBuy's social media team, I had a closer look at the website and noticed additional security issues. I tried to report this to PowerBuy, Central, and Central Tech via a few different channels.
29 Oct 2019: Not being sure if my reports were being addressed by the PowerBuy and Central Tech team, I tried to escalate my concerns to the CEO of Central Retail. Later in the day I also made the write-up below, hoping that it would get the right attention.
6 Nov 2019: I met a few people from the Central Tech team who assured me that they take these issues seriously, that they have addressed the vulnerabilities/weaknesses that I had raised, and that they will look for additional potential vulnerabilities and continue to improve their website security.



Update 2: (19 Nov 2019) A couple of weeks have passed since Central Tech told me that they have fixed all security issues, so I am adding back the details of the data protection issues that I noticed on the PowerBuy website.

Hopefully this can be useful for someone else building e-commerce sites, to use as an example of things to include when testing e-commerce sites prior to releasing into production.

I still can't see a security contact address or bug reporting channel for Central Tech or any of the web properties they manage published anywhere on their website.

Until Central have a clear channel for reporting bugs and security issues, others who find security issues on Central's web properties may have to resort to escalating their concerns through the same channels that I used to get their attention.

I also haven't seen any notification from PowerBuy or Central to their customers regarding leaving all their customer data exposed to anyone. I think it is fair to assume that I am not the first person to notice these weaknesses, and that PowerBuy's customer/order data may already have been accessed/downloaded/screen-scraped by unauthorized third parties, and it would have been prudent for Central/PowerBuy to notify their customer that their information may have been accessed by unauthorized third parties.

No comments:

Post a Comment