Sunday, November 24, 2024
HomeData BreachHP Exposed more than 400,000 Customers Sensitive Information Online

HP Exposed more than 400,000 Customers Sensitive Information Online

Published on

A critical security vulnerability that existed in HP-Redemption support website exposed Lakh’s of their customer’s sensitive data online which allows anyone can access the registered user’s confidential information without any authentication.

HP India – Redemption support website (www.redemptionsupport.com) serves as a platform for customers to apply redemption and get a discounted extended warranty, onsite support, theft insurance and other offers as applicable for those who have purchased HP products (Laptops, Desktops, Printers) during the offer period.

The registered customers can view their claim status, add supporting documents for their claims by entering their redemption code. Customers can also see/update their personal details (Address, Email address, Contact numbers) post OTP verification.

- Advertisement - SIEM as a Service

Publicly exposed lakhs of HP customers sensitive information who has registered their claim on the website from 10th June 2015 to 7th Nov 2017.

Vulnerability Discovered

Two significant Vulnerability has been discovered that leads to exposing HP Customers personal information.

1.No OTP / password authentication was implemented on the login page:

Without OTP verification/password authentication, anyone can view other HP customers’ Name, City, Company, State, Zip code, Laptop Model Number, Serial Number, Product Part Code, Purchase Date, and Claim Status by simply entering the Consecutive redemption codes in the homepage.

2.Customer Sensitive Information was sent in plain text

HP customer’s confidential information such as Address, Email ID, and Mobile Number were sent in plain text which can be viewed by intercepting them with freely available tools like Burp Suite

This Critical Vulerability has been discovered by a Security Researcher  Shaikh Yaser Arafat  reported to GBHackers On Security said, “I was able to download customer sensitive information with automated scripts by entering consecutive redemption codes (Sample dump attached).
There were nearly 4,76,569 redemption codes available in the system starting from XXX00033 to XXX76602 (as on 8th Nov 2017 12:15 AM IST) with actual customer information.”

Vulnerability Report

Initially, once customers purchased the product they need to update the Product information, so the customer needs to go into  https://www.hpshopping.in/reinventinking2017 and click ‘Reinvent Celebration’ and choose the Choose Consumer notebook and enter your mobile number. Verify it with OTP.

Next page Customers used to update the form about their personal pieces of information such as name Email, Phone number, residential address along with Purchased Proof.

On successful registration, you will be receiving a Redemption Code. You can visit the HP Redemption Support Website (www.redemptionsupport.com) to check the status of your claim.

HP Exposed

Redemption support will help to view the status of their purchased product and once customer will provide the detail. To see the status, enter your Redemption Code and click on Search.

Redemption support search for claim status

In this case, You would be able to see your personal details (Name, City, Pin Code, etc.,) and your registered laptop details (Serial Number, Product Code, etc.,

HP Exposed

View of customers Clamin Registration Status details

In this form, click on edit or personal details to see sensitive information like Address, Email Address, and Mobile Number post-OTP verification.

Here, Customer sensitive information (Name, Address, Email Address, Mobile Number, Laptop Serial Numbers, etc., of other HP customers, can also be viewed without OTP verification.

This Sensitive Data Exposure allows anyone can view other customer’s name, city, laptop model, serial number, claim status, etc., by merely entering the consecutive redemption codes one by one on the homepage. No OTP / Password authentication was configured.

HP Exposed

Intercept the traffic with BurpSuite while clicking the ‘Edit’ / ‘Personal Details’ button to view customers sensitive information such as Address, Mobile Number, Email address, Customer sensitive information was sent in plain text.

HP Exposed

Customer Data DumpHP Exposed

This Critical Vulnerability has been reported and fixed by the HP security team on November 17, 2017. It’s unclear that any cybercriminal used the vulnerability to extract the data from HP support website.

HP would have suffered its most significant customer data breach if cybercriminals exposed this.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Nearest Neighbor Attacks: Russian APT Hack The Target By Exploiting Nearby Wi-Fi Networks

Recent research has revealed that a Russian advanced persistent threat (APT) group, tracked as...

240+ Domains Used By PhaaS Platform ONNX Seized by Microsoft

Microsoft's Digital Crimes Unit (DCU) has disrupted a significant phishing-as-a-service (PhaaS) operation run by...

Russian TAG-110 Hacked 60+ Users With HTML Loaded & Python Backdoor

The Russian threat group TAG-110, linked to BlueDelta (APT28), is actively targeting organizations in...

Earth Kasha Upgraded Their Arsenal With New Tactics To Attack Organizations

Earth Kasha, a threat actor linked to APT10, has expanded its targeting scope to...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Chinese Hackers Breached Deep Into US Telecom to Spy on Calls and Texts

In a breach that lawmakers are calling the most serious in U.S. history, Chinese...

Maxar Space Data Leak, Threat Actors Gain Unauthorized Access to the System

Maxar Space Systems, a leader in space technology and Earth intelligence solutions, has recently...

Amazon Confirms Employee Data Breach Via Third-party Vendor

Amazon has confirmed that sensitive employee data was exposed due to a breach at...