Blog: Vulnerability Advisory

Gumtree – leaking your data and not really listening

Alan Monie 15 Dec 2021

Sometimes finding vulnerabilities is as simple as… just looking.

TL;DR

  1. Gumtree is a UK-based site where users can advertise items for sale.
  2. It leaked the PII of sellers to other users of the site within the HTML source of the adverts. Email address, postcode, GPS location, and the seller’s surname (via an IDOR) were all leaked.
  3. They abdicate responsibility for vulnerability disclosure to a bug bounty programme who didn’t seem to know what to do with responsible disclosure.

Introduction

Gumtree claims to take user security and privacy seriously. They hide your surname and use an internal messaging system to allow buyer/seller communication, without revealing user’s email addresses. It’s a huge site that until recently was owned by eBay, so they must be pretty secure…. right?

Leaky location data: F12

The site was super leaky. Every advert on the site included the seller’s postcode or GPS coordinates – even if the seller requested the map of their location to be hidden. It leaked the sellers email address, and their full name was available via a simple IDOR vulnerability.

One of my neighbours recently tried to sell a TV on Gumtree only for a random person, who hadn’t made prior contact, turn up at his house when he wasn’t at home. The neighbour called me to say that his youngest daughter was in the house and was scared because the guy wouldn’t leave. There are good reasons for not wanting to publish your location on the internet.

In the example below, the seller had, quite sensibly, disabled the map of their location, but the source HTML leaked their postcode. This is more accurate location data than the general map would have shown. This allows an attacker to identify a street or even a partial street.

Figure 1 – Advert with no exact location data

Figure 2 – Postcode leaked in the HTML

Figure 3 – Leaked email address

Leaky name information

The site also has an API which appears to be used exclusively for iOS. One of the endpoints was vulnerable to an IDOR attack. This leaked the full name of the user, as well as some other minor information, and didn’t require any authentication.

Figure 4 – Leaking PII without authentication

Gumtree obviously knows that publishing a user’s full name on the site is a bad idea because they only show a first name in the advert. It’s a shame their APIs leak that information to anyone who has a look.

Leaky email addresses

In October the governor of Missouri threatened to prosecute a local journalist who found some Social Security Numbers in the HTML source of the Department of Elementary and Secondary Education’s web site. This type of response isn’t uncommon when trying to disclose information to a vendor. It’s not often they are grateful, and usually they want to keep it quiet, don’t respond, or they don’t understand and want to sue you.

Inspired by Governor Parson, I developed a multi-stage process to view sensitive information belonging to other Gumtree users:

  1. View an advert on gumtree.com
  2. Press F12
  3. Read
  4. The
  5. Sellers
  6. Email
  7. Address
  8. In
  9. The
  10. HTML

Sometimes big sites don’t even get the basics right.

It was surprising to see other users email addresses being leaked in the HTML source. I know Gumtree previously had used the concept of masked email addresses, and the email field may have been used for that. However, it’s a serious oversight to leak the email address of every seller in their adverts.

Gumtree was not protecting the location of its sellers or their PII data, and was leaking it on every advert. Sending this type of data to a third-party is, in my opinion, a clear data breach under UK GDPR laws. Any user could unintentionally access the PII of any seller.

Disclosure

Gumtree had a security.txt page on their web site. It simply pointed us to Zerocopter who managed their bug bounties. I prefer to engage with companies directly, so I wasn’t keen on reporting through a third-party bug bounty programme, but I had no choice.

Unfortunately, Zerocopter required us to agree to a non-disclosure process before they would accept our vulnerability report. We believe in full disclosure, so that wasn’t something we were prepared to sign up to. After carefully reading the extensive legal jargon, it appeared that there was a clause for security researchers to publicly disclose after the issue was fixed, but forcing researchers to agree to multiple pages of legal text makes it time-consuming and potentially expensive in legal fees to simply let a site owner know of a security issue.

People trying to do the right thing should not be forced into a legal agreement. If you want to be made aware of all security issues on your platform, and as quickly as possible, outsourcing your vulnerability disclosure process is not the answer.

Date Action
11/11/2021 Emailed [email protected] and [email protected] about their PII leak
12/11/2021 Emailed [email protected]
12/11/2021 Received email from customer support acknowledging the issue and informing me they sent it to the relevant department
16/11/2021 Received email from customer support saying that the email address leak had been fixed and they had self-reported to the ICO
17/11/2021 Emailed [email protected] again to let them know there were still other information leaks
19/11/2021 Submitted reports via zerocopter
01/12/2021 Gumtree fixed the IDOR
06/12/2021 Gumtree fixed the postcode leak

I initially sent emails to security@ and hello@ on the 11th November, and because it was leaking PII, I tried to contact their Data Protection Officer. I contacted them twice explaining that their site was leaking PII (12th and 17th November), but I never received a reply. Their customer service team did reply and said that the report had been forwarded onto an internal department, but again I never received a reply from their security team or DPO.

On the 16th November the customer service team replied letting me know that they had fixed the email address disclosure, and self-reported to the Information Commissioners Office. Well done Gumtree, that was a fast fix, and it’s great that you informed the ICO. There was, however, no mention of the location data leakage, or the IDOR, so on the 19th November I resorted to trying to report via Zerocopter.

Using a third-party also makes the disclosure process very clinical, and there was no direct thanks or feedback from Gumtree, however there was a monetary reward of 500-3000 Euros for the IDOR vulnerability because they had marked it as high risk.

HOWEVER, after the issue was fixed, I was informed that no reward was payable because – “This is a Responsible Disclosure report, meaning that receiving a reward is a bonus in itself”.

So, because I followed their rules on responsible disclosure, no reward was payable!

After I queried which of their rules I’d broken on responsible disclosure, they changed their mind and paid the minimum. I’m sure Gumtree would be horrified to find that their responsible disclosure process tied the hands of researchers, created a feeling of ungratefulness, and tried to avoid paying a bounty.

Outsourcing the vulnerability disclosure process abdicates your responsibility for vulnerabilities in your software and creates a cultural disconnect between your security team and the information security community.

Conclusion

Site owners need to ensure that they are handling user’s data securely, and application level DLP systems can be useful to monitor for things like email addresses being leaked from web pages that should not contain email addresses.

Engage with security researchers directly. You’ll be made aware of issues on your site quicker, you’ll build up a relationship, and we’re on hand to retest and advise on the best fix for the vulnerability.