Fashion giant Express has patched its website to fix a security flaw that allowed anyone to view other people’s order details and personal information, TechCrunch has exclusively learned. At least a dozen of Express’ customer orders had been publicly listed in web search engine results.
The security flaw exposed order confirmation pages on Express’ online store, revealing details of purchases and who made them.
The exposed information contained customer names, phone numbers and email addresses; postal, billing, and delivery addresses; order details, including the items that a customer purchased; and partial payment card information, including the card type and the last four-digits.
Express is a large clothing retailer with hundreds of stores across the United States, Mexico and Latin America. The once-publicly listed company is now run by WHP Global, which also owns several fashion and retail giants.
Rey Bango, a security and privacy advocate, accidentally discovered the flaw after investigating a fraudulent purchase on a family member’s account, but found no way to report the flaw to Express. Bango asked TechCrunch to alert the company in an effort to get the bug fixed.
“When I tried to look up if the order number was a legitimately formatted Express order number using Google, I saw a link to another order and someone else’s order information came up!” Bango told TechCrunch.
TechCrunch verified that one could tweak the order confirmation webpage address to view the order and personal information of other customers. Express uses order numbers that are largely sequential, which makes it easy to potentially cycle through thousands of orders by changing the order number in the web address using automated web tools.
After we contacted Express, the apparel giant fixed the flaw on Wednesday, but would not say if it p …