Contact Information Exposed by Simple URL Manipulation
There is evidence that customer personal information was left unprotected at the sandwich franchise Subway.
According to Choi Minhee, chairperson of the National Assembly’s Science, ICT, Broadcasting and Communications Committee from the Democratic Party of Korea, a security vulnerability was discovered in Subway’s online ordering system, accessible via its website and mobile application, that allowed easy access to other customers’ personal information.
Anyone could access the order page without logging in and, by arbitrarily changing the number at the end of the web address (URL), view other customers’ contact details and order information directly on the screen.
Choi pointed out, "Based on the cases confirmed, it appears that personal information was left unprotected in this manner for at least five months."
It has not been determined whether any customer information was actually leaked. Subway reportedly reported the issue to the Korea Internet & Security Agency.
Previously, Papa John’s also experienced an incident in which changing the numbers at the end of the URL exposed not only customer names and contact information, but also credit card numbers and apartment entrance passwords. The luxury online platform Mustit also faced controversy after a vulnerability was discovered that allowed member information to be accessed without authentication.
© The Asia Business Daily(www.asiae.co.kr). All rights reserved.
