The well-known Gearbest, a major Chinese online shopping company, revealed millions of user profiles and purchase orders, according to security researchers.
Researcher Noam Rotem discovered that an Elasticsearch server is leaking millions of files every week. These include customer, order and file data from payments. The server is not even password protected accesss, allowing anyone to access the data.
Gearbest ranks as one of the top 250 websites in the world and cooperates with leading companies such as Asus, Huawei, Intel and Lenovo.
The TechCrunch website contacted Gearbest via a dedicated security page, and made sure to inform them of the vulnerable server. Despite the report, however, the company did not lock the data or respond to the request.
Rotem, who shared them his findings with TechCrunch, said that there are names, addresses, phone numbers, e-mail addresses and customer orders from purchased products among the data being released. The database also had information on payments and invoices.
"The content of some people's orders has been very revealing," says Rotem.
The exposed orders not only violate customer privacy, but may endanger the company's customers in too many parts of the world where freedom of speech and expression is restricted. Some of the listings are about gamea sex and other markets that could for example lead to legal interference where LGBTQ relationships are prohibited by law.
Countries such as the United Arab Emirates and Pakistan have strict laws that can result in death sentences.
Shenzhen-based Gearbest has a large presence in Europe with warehouses in Spain, Poland, the Czech Republic and the UK, where EU data protection and privacy laws are in force. Thus, any company that violates the General Protection Regulation Data (GDPR) may be fined up to 4% of its total revenue.
Αν έχετε κάποιο λογαριασμό στην ιστοσελίδα, δεν έχει νόημα να αλλάξετε κωδικό access, καθώς ο server είναι ακόμα ξέφραγο αμπέλι. Αυτό που μπορείτε όμως να κάνετε είναι να αλλάξετε κωδικό πρόσβασης όπου χρησιμοποιείτε τον ίδιο.
How to Enable and Disable a User in Windows 10
