Tuesday, March 19, 2024

HP Exposed more than 400,000 Customers Sensitive Information Online

A critical security vulnerability that existed in HP-Redemption support website exposed Lakh’s of their customer’s sensitive data online which allows anyone can access the registered user’s confidential information without any authentication.

HP India – Redemption support website (www.redemptionsupport.com) serves as a platform for customers to apply redemption and get a discounted extended warranty, onsite support, theft insurance and other offers as applicable for those who have purchased HP products (Laptops, Desktops, Printers) during the offer period.

The registered customers can view their claim status, add supporting documents for their claims by entering their redemption code. Customers can also see/update their personal details (Address, Email address, Contact numbers) post OTP verification.

Publicly exposed lakhs of HP customers sensitive information who has registered their claim on the website from 10th June 2015 to 7th Nov 2017.

Vulnerability Discovered

Two significant Vulnerability has been discovered that leads to exposing HP Customers personal information.

1.No OTP / password authentication was implemented on the login page:

Without OTP verification/password authentication, anyone can view other HP customers’ Name, City, Company, State, Zip code, Laptop Model Number, Serial Number, Product Part Code, Purchase Date, and Claim Status by simply entering the Consecutive redemption codes in the homepage.

2.Customer Sensitive Information was sent in plain text

HP customer’s confidential information such as Address, Email ID, and Mobile Number were sent in plain text which can be viewed by intercepting them with freely available tools like Burp Suite

This Critical Vulerability has been discovered by a Security Researcher  Shaikh Yaser Arafat  reported to GBHackers On Security said, “I was able to download customer sensitive information with automated scripts by entering consecutive redemption codes (Sample dump attached).
There were nearly 4,76,569 redemption codes available in the system starting from XXX00033 to XXX76602 (as on 8th Nov 2017 12:15 AM IST) with actual customer information.”

Vulnerability Report

Initially, once customers purchased the product they need to update the Product information, so the customer needs to go into  https://www.hpshopping.in/reinventinking2017 and click ‘Reinvent Celebration’ and choose the Choose Consumer notebook and enter your mobile number. Verify it with OTP.

Next page Customers used to update the form about their personal pieces of information such as name Email, Phone number, residential address along with Purchased Proof.

On successful registration, you will be receiving a Redemption Code. You can visit the HP Redemption Support Website (www.redemptionsupport.com) to check the status of your claim.

HP Exposed

Redemption support will help to view the status of their purchased product and once customer will provide the detail. To see the status, enter your Redemption Code and click on Search.

Redemption support search for claim status

In this case, You would be able to see your personal details (Name, City, Pin Code, etc.,) and your registered laptop details (Serial Number, Product Code, etc.,

HP Exposed

View of customers Clamin Registration Status details

In this form, click on edit or personal details to see sensitive information like Address, Email Address, and Mobile Number post-OTP verification.

Here, Customer sensitive information (Name, Address, Email Address, Mobile Number, Laptop Serial Numbers, etc., of other HP customers, can also be viewed without OTP verification.

This Sensitive Data Exposure allows anyone can view other customer’s name, city, laptop model, serial number, claim status, etc., by merely entering the consecutive redemption codes one by one on the homepage. No OTP / Password authentication was configured.

HP Exposed

Intercept the traffic with BurpSuite while clicking the ‘Edit’ / ‘Personal Details’ button to view customers sensitive information such as Address, Mobile Number, Email address, Customer sensitive information was sent in plain text.

HP Exposed

Customer Data DumpHP Exposed

This Critical Vulnerability has been reported and fixed by the HP security team on November 17, 2017. It’s unclear that any cybercriminal used the vulnerability to extract the data from HP support website.

HP would have suffered its most significant customer data breach if cybercriminals exposed this.

Website

Latest articles

Hackers Exploiting Microsoft Office Templates to Execute Malicious Code

In a cyberattack campaign dubbed "PhantomBlu," hundreds of employees across various US-based organizations were...

How ANY.RUN Malware Sandbox Process IOCs for Threat Intelligence Lookup?

The database includes indicators of compromise (IOCs) and relationships between different artifacts observed within...

CryptoWire Ransomware Attacking Abuses Schedule Task To maintain Persistence

AhnLab security researchers detected a resurgence of CryptoWire, a ransomware strain originally prevalent in...

E-Root Admin Sentenced to 42 Months in Prison for Selling 350,000 Credentials

Tampa, FL – In a significant crackdown on cybercrime, Sandu Boris Diaconu, a 31-year-old...

WhiteSnake Stealer Checks for Mutex & VM Function Before Execution

A new variant of the WhiteSnake Stealer, a formidable malware that has been updated...

Researchers Hacked AI Assistants Using ASCII Art

Large language models (LLMs) are vulnerable to attacks, leveraging their inability to recognize prompts...

Microsoft Deprecate 1024-bit RSA Encryption Keys in Windows

Microsoft has announced an important update for Windows users worldwide in a continuous effort...
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Mitigating Vulnerability Types & 0-day Threats

Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

Related Articles