A critical security vulnerability that existed in HP-Redemption support website exposed Lakh’s of their customer’s sensitive data online which allows anyone can access the registered user’s confidential information without any authentication.
HP India – Redemption support website (www.redemptionsupport.com) serves as a platform for customers to apply redemption and get a discounted extended warranty, onsite support, theft insurance and other offers as applicable for those who have purchased HP products (Laptops, Desktops, Printers) during the offer period.
The registered customers can view their claim status, add supporting documents for their claims by entering their redemption code. Customers can also see/update their personal details (Address, Email address, Contact numbers) post OTP verification.
Publicly exposed lakhs of HP customers sensitive information who has registered their claim on the website from 10th June 2015 to 7th Nov 2017.
Vulnerability Discovered
Two significant Vulnerability has been discovered that leads to exposing HP Customers personal information.
1.No OTP / password authentication was implemented on the login page:
Without OTP verification/password authentication, anyone can view other HP customers’ Name, City, Company, State, Zip code, Laptop Model Number, Serial Number, Product Part Code, Purchase Date, and Claim Status by simply entering the Consecutive redemption codes in the homepage.
2.Customer Sensitive Information was sent in plain text
HP customer’s confidential information such as Address, Email ID, and Mobile Number were sent in plain text which can be viewed by intercepting them with freely available tools like Burp Suite
This Critical Vulerability has been discovered by a Security Researcher Shaikh Yaser Arafat reported to GBHackers On Security said, “I was able to download customer sensitive information with automated scripts by entering consecutive redemption codes (Sample dump attached).
There were nearly 4,76,569 redemption codes available in the system starting from XXX00033 to XXX76602 (as on 8th Nov 2017 12:15 AM IST) with actual customer information.”
'Thank you' email from #HP for finding a critical vulnerability in #HP India shopping website. #HP would have suffered it's biggest customer data breach if the data were exposed by #cybercriminals. #Cyber #Security #databreach #hacking #BugBounty #India pic.twitter.com/ssirVxeV1s
— Shaikh Yaser (@yaser_s) November 22, 2017
Vulnerability Report
Initially, once customers purchased the product they need to update the Product information, so the customer needs to go into https://www.hpshopping.in/reinventinking2017 and click ‘Reinvent Celebration’ and choose the Choose Consumer notebook and enter your mobile number. Verify it with OTP.
Next page Customers used to update the form about their personal pieces of information such as name Email, Phone number, residential address along with Purchased Proof.
On successful registration, you will be receiving a Redemption Code. You can visit the HP Redemption Support Website (www.redemptionsupport.com) to check the status of your claim.
Redemption support will help to view the status of their purchased product and once customer will provide the detail. To see the status, enter your Redemption Code and click on Search.
Redemption support search for claim status
In this case, You would be able to see your personal details (Name, City, Pin Code, etc.,) and your registered laptop details (Serial Number, Product Code, etc.,
View of customers Clamin Registration Status details
In this form, click on edit or personal details to see sensitive information like Address, Email Address, and Mobile Number post-OTP verification.
Here, Customer sensitive information (Name, Address, Email Address, Mobile Number, Laptop Serial Numbers, etc., of other HP customers, can also be viewed without OTP verification.
This Sensitive Data Exposure allows anyone can view other customer’s name, city, laptop model, serial number, claim status, etc., by merely entering the consecutive redemption codes one by one on the homepage. No OTP / Password authentication was configured.
Intercept the traffic with BurpSuite while clicking the ‘Edit’ / ‘Personal Details’ button to view customers sensitive information such as Address, Mobile Number, Email address, Customer sensitive information was sent in plain text.
Customer Data Dump
This Critical Vulnerability has been reported and fixed by the HP security team on November 17, 2017. It’s unclear that any cybercriminal used the vulnerability to extract the data from HP support website.
HP would have suffered its most significant customer data breach if cybercriminals exposed this.
