Free Classified Ads Website in UK Leaks Users Information When Hitting the F12 Key

A security researcher was able to view personally identifiable information of users of Gumtree, one of the UK’s leading classified ads websites, by simply pressing the F12 key on his keyboard.

According to the report, the F12 key opened the developers’ tool console, allowing him to view the platform’s source code, and monitor any network requests and error messages.

During his investigation, Alan Monie said the HTML source was leaking a variety of personal information of advertisers who posted on the platform, including full names, user names, account registration date, account type, email address, postcodes and GPS coordinates.

"The site was super leaky. Every advert on the site included the seller's postcode or GPS coordinates – even if the seller requested the map of their location to be hidden,” Monie said. “It leaked the sellers email address, and their full name was available via a simple IDOR vulnerability."

Monie reported his findings to Gumtree on Nov. 11. Soon after, the platform said it managed to secure the email address leak. Gumtree also mentioned it had filed a self-report with the Information Commissioners Office.

Throughout December, the company managed to fix additional vulnerabilities, including one found in the API used by the Gumtree app on iOS.

“The site also has an API which appears to be used exclusively for iOS. One of the endpoints was vulnerable to an IDOR attack,” the researcher added. “This leaked the full name of the user, as well as some other minor information, and didn’t require any authentication.”

According to a statement sent to BleepingComputer, Gumtree did not notify its users of the leak.

“We did not notify our users and are confident that our response to the reported issues was timely, appropriate and proportionate,” Gumtree said. “We have communicated proactively with the regulator as these issues came to light and as we were taking remedial actions. We will take any appropriate further action should that be required.”

It is not clear if Monie was the only one who found the flaw on Gumtree’s website. As a precaution, users should be wary of social engineering attacks via email, asking the recipient to provide sensitive information.