NEW: Petco has taken down parts of its Vetco website after we discovered a masive data leak exposing customers' personally identifiable information (and their pets!) to the open web.
After flagging the leak, Petco still took four days to respond. We estimate millions of customers may be affected.
@zackwhittaker This is terrible. My dog isn’t very good with #cybersecurity and uses her owner’s name as her #password. I tried giving her a password wallet but she just buried it in the back yard.
@zackwhittaker I think that the most shocking thing to some pet owners would be finding out that their pet has a better credit score than they do.
We found the bug in how Vetco generates PDF documents for its customers. Its PDF page was public and was indexed by Google, which is how we found it. Worse, an IDOR bug in the URL meant it was possible for anyone to obtain customer data by changing the customer's unique ID by a single digit. 🤦
@zackwhittaker Enumeration - gee that was hard.. wonder if they messaged customers saying "we take the security of your data seriously"
@zackwhittaker That is a very bad design. I hope they will get fined for this by the privacy authorities.
