Popular e-card site has a bug that lets anyone access user photos

Card Factory, a popular UK-based greeting card business, stores some of its customers' data in an insecure way, letting anyone access their photos with an incredibly simple URL trick.

The site was notified about the issue on October 8 and hasn't fixed it or alerted its customers about it in a week, Mashable has learned.

UPDATE: Oct. 15, 2018, 6:11 p.m. CEST Card Factory says the security issue has now been fixed.

“The trust and privacy of our customers is of upmost importance to us. After recently being made aware of this issue, we have applied a security update to our website to ensure it cannot happen again," the company told Mashable.

Iain Row, a website developer from Milton Keynes, told Mashable about the issue, which he'd discovered when he was buying a birthday card for his brother. He'd noticed that the location of the uploaded photo was stored in an insecure way, letting anyone access any other user's photo as well.

We'll skip the exact details of how to exploit the vulnerability (in the interests of user privacy), but it's incredibly easy to do and can be carried out by anyone without any special tools or programming knowledge. We've independently verified that the exploit was still present on Monday morning, and we've have had another expert verify it as well.

"When I realised that you could (...) display any other user’s photos, I was stunned. I did some further testing and confirmed that a) you can link to the images from anywhere, and b) there are no restrictions on downloads, you can download thousands if you want and the server never kicks you out," Row told us via e-mail.

"This type of vulnerability is called 'insecure direct object reference.' It's fairly common and totally unacceptable," Luka Kladaric, software engineer and founder of Sekura Collective, told Mashable after reviewing the issue.

Card Factory describes itself as "UK’s leading specialist retailer of greeting cards." The company reported £185.3 million ($243.4 million) revenue in its 2018 half-year earnings report.

Security vulnerabilities and bugs happen all the time. But how a company protects user data is crucial. We've seen Card Factory's response to Row, and while the company did promise to fix it, it hasn't done so in at least a week.

"They still haven’t taken down the images, and are still selling products which require private photo uploads, knowing that those photos are available to all," Row told us.

In a letter, provided to us by Row, the company said they deem his actions to be well-meaning. But then they proceed to warn him that accessing user data in this manner would be a criminal offence.

In the letter they asked Row to confirm he had deleted all the data he’d obtained by probing for the vulnerability, as well as promise he would not do any further testing of the sort. The company also asked him not to publicly disclose any information about the vulnerability.

In its privacy policy document, Card Factory says it employs security measures to protect user information, but cannot be held responsible for "for any breach of security unless this is due to our negligence or wilful default.”

The relevant paragraph is below:

"We employ security measures to protect your information from access by unauthorised persons and against unlawful processing, accidental loss, destruction and damage. We will treat all of your information in strict confidence and we will endeavour to take all reasonable steps to keep your personal information secure once it has been transferred to our systems. However, the Internet is not a secure medium and we cannot guarantee the security of any data you disclose online. You accept the inherent security risks of providing information and dealing online over the Internet and will not hold us responsible for any breach of security unless this is due to our negligence or wilful default.”

“We have also spoken to The Information Commissioner's Office regarding the matter, and they have confirmed that this was not a data breach and no personal data was compromised. We continue to follow their guidance to resolve this matter and would like to apologise to any customers affected," the company said.

Mashable has reached out to Card Factory for further comment.