Brit voucher biz's signup page blabbed families' details via URL tweak

A UK web biz has been slammed for blocking people on Twitter just for reporting a security vulnerability that potentially leaked people's contact details.

Kids Pass – a Cheshire-based outfit that offers more than 500,000 folks discount vouchers for family activities – was alerted over the weekend, via Twitter, that its code was insecure. By making a simple tweak to a URL on the site while activating an account, someone could get access to strangers' personal information.

The signup process goes as follows:

1. A new member goes to kidspass.co.uk and inputs their details and credit card number on the site, and clicks a button join. The new user hasn’t been asked to create a password yet.
2. Then – according to those who have gone through the process – once the card is accepted, a link is sent via email, which you have to click on to prove your email address works. You're then prompted to set a password for the account.
3. But that URL contains an activation code linked to the new account. It's a bunch of numbers. If you tweak the value, you'll gain access to the corresponding account – someone else’s account and their details. In other words, you can abuse the emailed link to snoop on other people signing up.

Those who have been through the process say the page you land on after clicking the link includes pre-filled fields for name, email address, phone number and postcode. Kids Pass confirmed with The Register that this vulnerability can only be exploited to peek at people who were in the process of activating their accounts, “and as such only a handful of people could potentially have been affected for a very short period at any one time.”

This, it said, was because “you are not in the activation process for long” – although as those with a short attention span will know, not everyone clicks the activation link immediately after signing up. And, as one Reg reader and Kids Pass customer pointed out to us privately, it isn’t exactly reassuring for those people who may have been exposed.

Alan Woodward, a security professor at the University of Surrey, agreed:

“Even if it was limited to the registration process, that’s enough of a problem, and where there is such a fault, without more detailed information from the company, one has to assume that there are other problems,” Prof Woodward told The Reg. “Personally, I wouldn’t trust my details to the site until I knew more about what exactly is going on with that site.”

We asked Kids Pass how many people had been affected. It didn’t answer the question directly, instead saying:

Peeps in the web and security industry also expressed concern that the Brit biz had been warned about the problem, with web developer Gareth Griffiths blogging about it all earlier. Griffiths had already alerted the company to lax security measures back in December, when he realised that the firm was sending out plain text passwords.

@KidsPass You just sent me a password reminder with my password in plain text - I hope you're not storing it in plain text. #security

— Gareth Griffiths (@gazchap) December 26, 2016

He said that, when he asked for a reminder for his password, his actual password was emailed to him “completely naked and unencrypted.”

And for two of the people reporting the problem this weekend, Kids Pass’ social media handlers took a decidedly bizarre approach: rather than thanking the eagle-eyed followers for pointing out the flaw instead of exploiting it, or their customers – the biz blocked them on Twitter.

Both prospective Kids Pass member Alex Haines, who reported the issue via social media to the team, and Troy Hunt, a Microsoft man who blogs on security issues and was alerted to the issue by Haines, were blocked for a time immediately after pressing Kids Pass to take action.

@KidsPass you’ve got a data protection issue with your registration process. Anyone can access anyone elses data! @troyhunt Contact me.

— Alex Haines (@AlexJamesHaines) July 29, 2017

As Hunt put it on his blog, he felt the pair had done a “good deed” by reporting the problem but been punished in a bizarre manner.

“This is probably the simplest most ethical example I could think of when it comes to doing the right thing by a company that is clearly doing the wrong thing (or at least their code is doing the wrong thing), yet here we were, both Alex and I blocked from any further communications,” Hunt wrote.

Kids Pass said that the pair had been blocked “in the early hours of Sunday morning by our 'out of hours' social media monitoring team” and unblocked “within a matter of hours when this error was spotted.”

It added that the security issue had been fixed, and that it was taking steps to introduce a vulnerabilities reporting policy “similar to those offered by companies such as Tesla or Facebook.”

At the moment, this stretches simply to adding “report a technical problem or concern” option to the drop-down list on the Contact Us page – that's some way to go before reaching the same level as Tesla’s policy, which offers users an email address, a PGP key to securely report concerns, and offers of rewards up to $10,000 per vulnerability.

Kids Pass added that it had alerted the UK’s data watchdog, the Information Commissioner’s Office, which a spokesman for the ICO confirmed. An ICO spokesman said: “All organisations have a duty to keep people’s personal details safe and secure. We will be looking into the details of concerns raised about the Kids Pass website.” ®