Halfords suffers a puncture in the customer details department

I like driving in my car, hope my data's not gone far


UK automobile service and parts seller Halfords has shared the details of its customers a little too freely, according to the findings of a security researcher.

Like many, cyber security consultant Chris Hatton used Halfords to keep his car in tip-top condition, from tires through to the annual safety checks required for many UK cars.

In January, Hatton replaced a tire on his car using a service from Halfords. It's a simple enough process – pick a tire online, select a date, then wait. A helpful confirmation email arrived with a link for order tracking. A curious soul, Hatton looked at what was happening behind the scenes when clicking the link and "noticed some API calls that seemed ripe for an IDOR" [Insecure Direct Object Reference].

Armed with an email address, Hatton was able to extract all manner of information about his booking, including his telephone number, car details, and the exact location of his home.

A few months later, Hatton decided to book a service and received, once again, an email exposing another exploitable endpoint. This time an email wasn't required. Just an ID. "It is simply an ID that increments with each order," he said.

Again, all customer details associated with that ID could be retrieved. He tried incrementing the ID and other customers turned up. "Through the Order ID," he said, "it seems likely that hundreds of thousands (if not millions) of different orders can be found, each containing [personally identifiable information]."

In January, Hatton responsibly contacted Halfords to warn the company of the vulnerability. Sadly, his efforts were rewarded mostly by a stony silence until The Register got in touch.

A spokesperson told us: "Halfords takes the security of our customer data very seriously.

"In this case we've been made aware of a potential vulnerability in one of our customer-facing systems. No bank or payment details have been at risk.

"We've removed the vulnerability and we'll be implementing an immediate review of our screening protocols to help ensure this doesn't happen again."

The Register contacted UK watchdog the Information Commissioner's Office (ICO) and was told: "We do not appear to have received a data breach report from Halfords on this matter.

"Not all data breaches need to be reported to the ICO. Organizations must notify the ICO within 72 hours of becoming aware of a personal data breach, unless it does not pose a risk to people's rights and freedoms."

The incident is reminder of the need for organizations to provide an open channel of communication for researchers and, for goodness' sake, to stop ejecting customer details upon the slightest prod. ®


Other stories you might like

  • Cisco warns of security holes in its security appliances
    Bugs potentially useful for rogue insiders, admin account hijackers

    Cisco has alerted customers to another four vulnerabilities in its products, including a high-severity flaw in its email and web security appliances. 

    The networking giant has issued a patch for that bug, tracked as CVE-2022-20664. The flaw is present in the web management interface of Cisco's Secure Email and Web Manager and Email Security Appliance in both the virtual and hardware appliances. Some earlier versions of both products, we note, have reached end of life, and so the manufacturer won't release fixes; it instead told customers to migrate to a newer version and dump the old.

    This bug received a 7.7 out of 10 CVSS severity score, and Cisco noted that its security team is not aware of any in-the-wild exploitation, so far. That said, given the speed of reverse engineering, that day is likely to come. 

    Continue reading
  • Azure issues not adequately fixed for months, complain bug hunters
    Redmond kicks off Patch Tuesday with a months-old flaw fix

    Updated Two security vendors – Orca Security and Tenable – have accused Microsoft of unnecessarily putting customers' data and cloud environments at risk by taking far too long to fix critical vulnerabilities in Azure.

    In a blog published today, Orca Security researcher Tzah Pahima claimed it took Microsoft several months to fully resolve a security flaw in Azure's Synapse Analytics that he discovered in January. 

    And in a separate blog published on Monday, Tenable CEO Amit Yoran called out Redmond for its lack of response to – and transparency around – two other vulnerabilities that could be exploited by anyone using Azure Synapse. 

    Continue reading
  • CISA and friends raise alarm on critical flaws in industrial equipment, infrastructure
    Nearly 60 holes found affecting 'more than 30,000' machines worldwide

    Updated Fifty-six vulnerabilities – some deemed critical – have been found in industrial operational technology (OT) systems from ten global manufacturers including Honeywell, Ericsson, Motorola, and Siemens, putting more than 30,000 devices worldwide at risk, according to private security researchers. 

    Some of these vulnerabilities received CVSS severity scores as high as 9.8 out of 10. That is particularly bad, considering these devices are used in critical infrastructure across the oil and gas, chemical, nuclear, power generation and distribution, manufacturing, water treatment and distribution, mining and building and automation industries. 

    The most serious security flaws include remote code execution (RCE) and firmware vulnerabilities. If exploited, these holes could potentially allow miscreants to shut down electrical and water systems, disrupt the food supply, change the ratio of ingredients to result in toxic mixtures, and … OK, you get the idea.

    Continue reading

Biting the hand that feeds IT © 1998–2022