Andrew Mohawk Field notes in security, hardware, and radio.
← Back to blog

B-Uggs

Andrew Mohawk

Updated June 7, 2020

Title: Thats uggzactly what I thought!

TLDR; ugg.com orders could be enumerated from just the orderid which was an incrementing number. Any order that was not already dispatched could be cancelled, which meant effectively someone could script something to cancel all orders placed on ugg.com
 I was awarded <this> for finding and reporting the problem and at no stage did I download/access other peoples information :)

I’ve recently moved to San Francisco (about 6 months now), and besides for the complete chaos that is the apocalypse we live in, I’ve unfortunately gone from one winter to the next. Now starting to settle in my feeties were always cold at night, I needed some good slippers to replace my free airplane ones. My friend Gabe suggested I get some uggs, and I did (they should be here any day now!)

I went through the usual process of ordering, I didn’t even create an account, I just checked out with my email address (ugg@andrewmohawk.com) and paid with my credit card. I received the standard “your order has been placed” and “your order is on its way to you” emails I’ve come to love from living in SF:

Clicking on the links gave you the usual html rich responses indicating my order (29057647) had been placed!

A few days later

And clicking on that link: (https://www.ugg.com/Order?CID=ORDER_CONFIRMATION_US&amp;Mt_euid=0daa7cae396e88a9ecfd4c60618edbae&amp;VID=10036438042 &hmail=6e01926cca436a3795c629c8d9310ed20c750ef1710d00b44b19e653334e92f5&oid=29057647 &utm_campaign=ORDER_CONFIRMATION_US&utm_medium=email&utm_source=US_Transactional)

Interesting, I wasn’t logged in or had an account or any previous creds, I removed the extra get parameters and browsed to https://www.ugg.com/Order?oid=23853915. Hmm same page. I thought I’d increment that number by 1 just to see what happened and sure enough I got someone elses order. Panic. I closed that tab and went back to my page, what details were exposed, sure enough within the page was the following:

var utag_data = {
  "previous_page_name": "desktop:orderhistory",
  "hmail": "",
  "page_context_type": "orderhistory",
  "page_context_title": "order%20history",
  "page_name": "desktop:orderhistory",
  "page_type": "checkout",
  "device_type": "desktop",
  "page_error_type": "",
  "pipeline_name": "Order-Summary",
  "site_id": "UGG-US",
  "user_anonymous": "true",
  "user_authenticated": "false",
  "user_registered": "false",
  "customer_id": "cdafZjebDltARtbayDNopPdUVT",
  "customer_country": "US",
  "customer_city": "San Francisco",
  "order_id": "29057647",
  "customer_email": "ugg@andrewmohawk.com",
  "order_discount": "0.00",
  "order_subtotal": "100.00",
  "order_tax": "8.50",
  "order_shipping": "0.00",
  "order_payment_type": "CREDIT_CARD:Visa",
  "order_total": "108.50",
  "order_currency": "USD",
  "order_est_shipdate": "2020-04-13",
  "postal_code": "94109-5793",
  "order_has_virtual": "N",
  ...MORE...
};

Yikes, email address, city, country, zip code, visa type, amounts, and some dates. I mean its not the end of the world, its just shows some PII that probably should be exposed. Next I called up my friend Gabe, asked if I could use his order ID and sure enough I could see all of his details as well. I diffed the two page responses and saw that I also get the

So far this is kind of average, but I thought, I wonder if there is a link to “my account” (I ordered anonymously).

Categories
Security Web Security