If you buy a product from Samsung's online store, your name, address, order information and other data may be accessible to anyone who cares to look.
Matt Metzger, a self-described "application security engineer" who said he has worked in shipping-industry compliance, wrote Wednesday on Medium about an accidental discovery. Metzger said he ordered a TV from the Samsung online store and was sent a URL to track his delivery. When he followed the URL, he discovered that his tracking number was the same one used for someone else's previous delivery and that he could see sensitive information, such as the person's name and items ordered, without any security measures getting in the way.
Metzger also discovered that more information was attached in a TIFF file to his own order after the delivery was completed. The file included his full name, address and signature.
The delivery tracking system is easily searchable using seven-digit numbers that are recycled each year, Metzger said Samsung told him over email. As Metzger pointed out, it wouldn't be too difficult to program a bot to cycle through random seven-digit codes on the distributor's website, and then scrape order and personal data from whatever comes up. This could jeopardize the information of thousands of consumers, although it is unclear how many accounts are accessible at any given time on the website.
Metzger explored the potential exploitation of the system in his posting, but it's clear that if you purchase anything from Samsung's online store, you should act as though that information is public. Your order number, your name, your address and, perhaps with a quick Google search, your phone number could be available to scammers -- and that's more than enough to do significant damage.
While Metzger's assertions haven't been independently verified, after typing random numbers into the tracking system, I could easily access the information of more than 40 accounts. Not all of the accounts I looked at included the most sensitive data, but many had attached TIFF files with full names, addresses and signatures -- just like Metzger's.
After he mentioned in an email to Samsung his discomfort with the lack of security, Metzger said, Samsung redirected him to the distribution company, Associated Global Systems.
"A company the size of Samsung should have better policies in place regarding the sharing of customer information with third parties," Metzger said. "The shipper inevitably needs this information to deliver the products -- but Samsung should have had a better understanding of how that information was being handled once it was in the shipper's hands."
A Samsung representative said the company is aware of the issue and is looking into it. CNET will update the story with an official statement when it is available.
Associated Global Systems did not immediately respond to requests for comment.