A security researcher discovered that goHardDrive, a used hard drive retailer, was exposing thousands of customer records through an insecure RMA status check system. The vulnerability allowed anyone to access customer names, addresses, emails, and order details by simply guessing sequential RMA numbers. Despite initial attempts to fix the issue by adding ZIP code and house number verification, the researcher demonstrated this was still easily exploitable. goHardDrive ultimately removed the RMA status page entirely and now handles status updates via email only.
Table of contents
The leak ๐๏ธScale of leak ๐๏ธgoHardDriveโs attempted fix ๐๏ธgoHardDrive removes RMA status checks entirely ๐๏ธBug bounty ๐๏ธTimeline ๐๏ธSidenote: Leaks aside, this is a terrible return process ๐๏ธSort: