{ "CVE_data_meta": { "ASSIGNER": "cert@cert.org", "DATE_PUBLIC": "2017-05-17T00:00:00.000Z", "ID": "CVE-2017-3211", "STATE": "PUBLIC", "TITLE": "Centire Yopify leaks customer information" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "Yopify", "version": { "version_data": [ { "version_affected": "<=", "version_name": "2017-04-06", "version_value": "2017-04-06" } ] } } ] }, "vendor_name": "Centire" } ] } }, "credit": [ { "lang": "eng", "value": "This vulnerability was discovered by Oliver Keyes, a Rapid7, Inc. senior data scientist." } ], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "Yopify, an e-commerce notification plugin, up to April 06, 2017, leaks the first name, last initial, city, and recent purchase data of customers, all without user authorization." } ] }, "exploit": [ { "lang": "eng", "value": "Yopify works by having the e-commerce site load a JavaScript widget from the Yopify servers, which contains both the code to generate the UI element and the data used to populate it, stored as JSON. This widget does not require any authorization beyond a site-specific API key, which is embedded in the e-commerce site's source code, and is easily extractable with a regular expression.\n\nThe result is that by scraping a customer site to grab the API key and then simply running something like:\ncurl 'https://yopify.com/api/yo/js/yo/3edb675e08e9c7fe22d243e44d184cdf/events.js?t=1490157080'\n\nwhere 3edb675e08e9c7fe22d243e44d184cdf is the site ID and t is a cache buster, someone can remotely grab the data pertaining to the last 50 customers. This is updated as purchases are made. Thus an attacker can poll every few hours for a few days/weeks/months and build up a database of an e-commerce site's customer set and associated purchasers.\n\nThe data exposed to this polling was, however, far more extensive than the data displayed. While the pop-up only provides first name and last initial, the JSON blob originally contained first and last names in their entirety, along with city-level geolocation. While the casual online customer wouldn't have seen that, a malicious technical user could have trivially gained enough information to potentially target specific users of specific niche e-commerce sites.\n\n\n\n\n\n \n" } ], "generator": { "engine": "Vulnogram 0.0.9" }, "impact": { "cvss": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1" } }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "CWE-213 Intentional Information Exposure" } ] } ] }, "references": { "reference_data": [ { "name": "https://blog.rapid7.com/2017/05/31/r7-2017-05-centire-yopify-information-disclosure-cve-2017-3211/", "refsource": "MISC", "url": "https://blog.rapid7.com/2017/05/31/r7-2017-05-centire-yopify-information-disclosure-cve-2017-3211/" } ] }, "source": { "defect": [ "R7-2017-05" ], "discovery": "EXTERNAL" } }