17 Oct Card Factory Website Flaw Exposes User Photos
Popular UK greeting card website Card Factory was reported this week to have had a flaw on its website that allowed the public to view private user photos via a simple URL trick.
The issue was identified by a developer named Iain Row from Milton Keynes. Keynes said that the site stored photos in an unsecure way. Luka Kladaric, founder of Sekura Collective said that the vulnerability, which was called ‘insecure direct object reference’, was fairly common and quite unacceptable as it allowed anyone to download thousands of private photos without being kicked out by the server.
It was noted that Card Factory took several days after being alerted to fix the issue.