Privacy flaw hits YouShop site

MATT STEWART
Last updated 08:27 10/07/2014

Relevant offers

Industries

Sanford's green lipped mussels growing too big for bite size Massive bridge-building machine named Dennis reaches Auckland Motorway milestone Skinny inches it on price for average mobile user Fletcher gets go-ahead for Ihumatao special housing area Mainfreight posts record annual profit of $88 million The retailers who have taken Dick Smith's place Kiwis well-served in digital world, annual Commerce Commission report finds Fonterra announces next season Farmgate milk price forecast of $4.25kgMS More Wicked Campers slogans banned, behaviour concerns advertising watchdog Shewan Inquiry gets advice on tightening trust regime

A privacy glitch in NZ Post's overseas freight-forwarding website YouShop has exposed users' credit card details, mailing addresses and lists of goods sent and received to other users.

Wellington man Ian Tan spotted the bug a week ago when he navigated away from his YouShop account then came back to it. The flaw eventually revealed three other users' details - including partial credit card numbers, where they lived and a manifest of posted items.

Last night NZ Post shut down the site as technicians worked to isolate the problem.

Tan said he landed on other users' accounts after the glitch had bypassed the log-in phase and was concerned an opportunistic user could potentially use his credit card to ship orders or re-direct another user's parcels to a temporary address.

"There's a raft of things you could do with access to someone else's account," Tan said.

NZ Post spokesman Richard Trow said this afternoon that technicians were close to identifying the root of the issue.

“We are confident the issue is restricted to a very small number of cases where a particular sequence of events occurred and that no financial information was divulged,'' he said.

NZ Post had contacted the Office of the Privacy Commissioner.

Palmerston North IT worker Reon Webster was one of the three account holders Tan had access to and although he doubted an average user would be able to hack his account it would be a worrying if someone with malicious intent and password and credit card decryption skills stumbled on to it.

Webster said he had lodged a complaint with NZ Post after noticing a similar irregularity on his account two weeks ago.

YouShop gives users access to products not available here with a delivery address in the US and UK - which also allows shopping in Europe - that are then forwarded here.

NZ Post's glitch comes just a day after Vodafone was hit with a serious privacy breach of its own.

The loophole was discovered by a new Vodafone customer, who said he accidentally accessed another Vodafone customer's account with the password when he was trying to get into his.

Ad Feedback

- The Dominion Post

Comments

Special offers

Featured Promotions

Sponsored Content