Lax security around URL shortener exposed PII of US retailer Carter’s customer base
US retailer Carter’s has suffered from a data leak that exposed the personally identifiable information (PII) of hundreds of thousands of customers. However, unlike many data leaks, the incident was not the result of an unsecured bucket or misconfigured cloud storage system, rather the leak was caused by relaxed security policies pertaining to URL shortening. The breach was discovered via a web mapping project conducted by vpnMentor. According to vpnMentor, the company failed to implement authentication protocols for a popular URL shortener tool used on Carter’s e-commerce domain. VpnMentor referred to the incident as a simple oversight in the firm’s online order tracking infrastructure.
Due to the lack of authentication protocols, when a purchase was made through Carter’s US website, the vendor would automatically deliver a shortened URL to access a purchase confirmation page. The confirmation page contained a variety of PII and the links never expired. This means that anyone could access the pages at any time. The pages were generated by Linc’s automation platform. The information exposed on the pages includes full names, addresses, email addresses, phone numbers, and purchase and transaction details.