Categories: Data Breach

HP Exposed more than 400,000 Customers Sensitive Information Online

A critical security vulnerability that existed in HP-Redemption support website exposed Lakh’s of their customer’s sensitive data online which allows anyone can access the registered user’s confidential information without any authentication.

HP India – Redemption support website (www.redemptionsupport.com) serves as a platform for customers to apply redemption and get a discounted extended warranty, onsite support, theft insurance and other offers as applicable for those who have purchased HP products (Laptops, Desktops, Printers) during the offer period.

The registered customers can view their claim status, add supporting documents for their claims by entering their redemption code. Customers can also see/update their personal details (Address, Email address, Contact numbers) post OTP verification.

Publicly exposed lakhs of HP customers sensitive information who has registered their claim on the website from 10th June 2015 to 7th Nov 2017.

Vulnerability Discovered

Two significant Vulnerability has been discovered that leads to exposing HP Customers personal information.

1.No OTP / password authentication was implemented on the login page:

Without OTP verification/password authentication, anyone can view other HP customers’ Name, City, Company, State, Zip code, Laptop Model Number, Serial Number, Product Part Code, Purchase Date, and Claim Status by simply entering the Consecutive redemption codes in the homepage.

2.Customer Sensitive Information was sent in plain text

HP customer’s confidential information such as Address, Email ID, and Mobile Number were sent in plain text which can be viewed by intercepting them with freely available tools like Burp Suite

This Critical Vulerability has been discovered by a Security Researcher  Shaikh Yaser Arafat reported to GBHackers On Security said, “I was able to download customer sensitive information with automated scripts by entering consecutive redemption codes (Sample dump attached).
There were nearly 4,76,569 redemption codes available in the system starting from XXX00033 to XXX76602 (as on 8th Nov 2017 12:15 AM IST) with actual customer information.”

Vulnerability Report

Initially, once customers purchased the product they need to update the Product information, so the customer needs to go into  https://www.hpshopping.in/reinventinking2017 and click ‘Reinvent Celebration’ and choose the Choose Consumer notebook and enter your mobile number. Verify it with OTP.

Next page Customers used to update the form about their personal pieces of information such as name Email, Phone number, residential address along with Purchased Proof.

On successful registration, you will be receiving a Redemption Code. You can visit the HP Redemption Support Website (www.redemptionsupport.com) to check the status of your claim.

Redemption support will help to view the status of their purchased product and once customer will provide the detail. To see the status, enter your Redemption Code and click on Search.

Redemption support search for claim status

In this case, You would be able to see your personal details (Name, City, Pin Code, etc.,) and your registered laptop details (Serial Number, Product Code, etc.,

View of customers Clamin Registration Status details

In this form, click on edit or personal details to see sensitive information like Address, Email Address, and Mobile Number post-OTP verification.

Here, Customer sensitive information (Name, Address, Email Address, Mobile Number, Laptop Serial Numbers, etc., of other HP customers, can also be viewed without OTP verification.

This Sensitive Data Exposure allows anyone can view other customer’s name, city, laptop model, serial number, claim status, etc., by merely entering the consecutive redemption codes one by one on the homepage. No OTP / Password authentication was configured.

Intercept the traffic with BurpSuite while clicking the ‘Edit’ / ‘Personal Details’ button to view customers sensitive information such as Address, Mobile Number, Email address, Customer sensitive information was sent in plain text.

Customer Data Dump

This Critical Vulnerability has been reported and fixed by the HP security team on November 17, 2017. It’s unclear that any cybercriminal used the vulnerability to extract the data from HP support website.

HP would have suffered its most significant customer data breach if cybercriminals exposed this.

Balaji

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Recent Posts

Zero-Trust Policy Bypass Enables Exploitation of Vulnerabilities and Manipulation of NHI Secrets

A new project has exposed a critical attack vector that exploits protocol vulnerabilities to disrupt…

2 days ago

Threat Actor Sells Burger King Backup System RCE Vulnerability for $4,000

A threat actor known as #LongNight has reportedly put up for sale remote code execution…

2 days ago

Chinese Nexus Hackers Exploit Ivanti Endpoint Manager Mobile Vulnerability

Ivanti disclosed two critical vulnerabilities, identified as CVE-2025-4427 and CVE-2025-4428, affecting Ivanti Endpoint Manager Mobile…

2 days ago

Hackers Target macOS Users with Fake Ledger Apps to Deploy Malware

Hackers are increasingly targeting macOS users with malicious clones of Ledger Live, the popular application…

2 days ago

EU Targets Stark Industries in Cyberattack Sanctions Crackdown

The European Union has escalated its response to Russia’s ongoing campaign of hybrid threats, announcing…

2 days ago

Venice.ai’s Unrestricted Access Sparks Concerns Over AI-Driven Cyber Threats

Venice.ai has rapidly emerged as a disruptive force in the AI landscape, positioning itself as…

2 days ago