Friday, November 1, 2024
HomeData BreachHP Exposed more than 400,000 Customers Sensitive Information Online

HP Exposed more than 400,000 Customers Sensitive Information Online

Published on

Malware protection

A critical security vulnerability that existed in HP-Redemption support website exposed Lakh’s of their customer’s sensitive data online which allows anyone can access the registered user’s confidential information without any authentication.

HP India – Redemption support website (www.redemptionsupport.com) serves as a platform for customers to apply redemption and get a discounted extended warranty, onsite support, theft insurance and other offers as applicable for those who have purchased HP products (Laptops, Desktops, Printers) during the offer period.

The registered customers can view their claim status, add supporting documents for their claims by entering their redemption code. Customers can also see/update their personal details (Address, Email address, Contact numbers) post OTP verification.

- Advertisement - SIEM as a Service

Publicly exposed lakhs of HP customers sensitive information who has registered their claim on the website from 10th June 2015 to 7th Nov 2017.

Vulnerability Discovered

Two significant Vulnerability has been discovered that leads to exposing HP Customers personal information.

1.No OTP / password authentication was implemented on the login page:

Without OTP verification/password authentication, anyone can view other HP customers’ Name, City, Company, State, Zip code, Laptop Model Number, Serial Number, Product Part Code, Purchase Date, and Claim Status by simply entering the Consecutive redemption codes in the homepage.

2.Customer Sensitive Information was sent in plain text

HP customer’s confidential information such as Address, Email ID, and Mobile Number were sent in plain text which can be viewed by intercepting them with freely available tools like Burp Suite

This Critical Vulerability has been discovered by a Security Researcher  Shaikh Yaser Arafat  reported to GBHackers On Security said, “I was able to download customer sensitive information with automated scripts by entering consecutive redemption codes (Sample dump attached).
There were nearly 4,76,569 redemption codes available in the system starting from XXX00033 to XXX76602 (as on 8th Nov 2017 12:15 AM IST) with actual customer information.”

Vulnerability Report

Initially, once customers purchased the product they need to update the Product information, so the customer needs to go into  https://www.hpshopping.in/reinventinking2017 and click ‘Reinvent Celebration’ and choose the Choose Consumer notebook and enter your mobile number. Verify it with OTP.

Next page Customers used to update the form about their personal pieces of information such as name Email, Phone number, residential address along with Purchased Proof.

On successful registration, you will be receiving a Redemption Code. You can visit the HP Redemption Support Website (www.redemptionsupport.com) to check the status of your claim.

HP Exposed

Redemption support will help to view the status of their purchased product and once customer will provide the detail. To see the status, enter your Redemption Code and click on Search.

Redemption support search for claim status

In this case, You would be able to see your personal details (Name, City, Pin Code, etc.,) and your registered laptop details (Serial Number, Product Code, etc.,

HP Exposed

View of customers Clamin Registration Status details

In this form, click on edit or personal details to see sensitive information like Address, Email Address, and Mobile Number post-OTP verification.

Here, Customer sensitive information (Name, Address, Email Address, Mobile Number, Laptop Serial Numbers, etc., of other HP customers, can also be viewed without OTP verification.

This Sensitive Data Exposure allows anyone can view other customer’s name, city, laptop model, serial number, claim status, etc., by merely entering the consecutive redemption codes one by one on the homepage. No OTP / Password authentication was configured.

HP Exposed

Intercept the traffic with BurpSuite while clicking the ‘Edit’ / ‘Personal Details’ button to view customers sensitive information such as Address, Mobile Number, Email address, Customer sensitive information was sent in plain text.

HP Exposed

Customer Data DumpHP Exposed

This Critical Vulnerability has been reported and fixed by the HP security team on November 17, 2017. It’s unclear that any cybercriminal used the vulnerability to extract the data from HP support website.

HP would have suffered its most significant customer data breach if cybercriminals exposed this.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

LightSpy iOS Malware Enhanced with 28 New Destructive Plugins

The LightSpy threat actor exploited publicly available vulnerabilities and jailbreak kits to compromise iOS...

ATPC Cyber Forum to Focus on Next Generation Cybersecurity and Artificial Intelligence Issues

White House National Cyber Director, CEOs, Key Financial Services Companies, Congressional and Executive Branch...

New PySilon RAT Abusing Discord Platform to Maintain Persistence

Cybersecurity experts have identified a new Remote Access Trojan (RAT) named PySilon. This Trojan...

Konni APT Hackers Attacking Organizations with New Spear-Phishing Tactics

The notorious Konni Advanced Persistent Threat (APT) group has intensified its cyber assault on...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Grayscale Investments Data Breach Exposes 693K User Records Reportedly Affected

Grayscale Investments, a prominent crypto asset manager, has reportedly suffered a data breach affecting...

Northern Ireland Police to Pay £750,000 Fine Following Data Breach

The Police Service of Northern Ireland (PSNI) has been ordered to pay a £750,000...

Google Warns Of North Korean IT Workers Have Infiltrated The U.S. Workforce

North Korean IT workers, disguised as non-North Koreans, infiltrate various industries to generate revenue...