HP is exposing private user information to the entire web

Hi folks,

HP's customer service database is configured in such a way that private consumer information is being exposed to the entire Internet. Please help me put an end to this.

You can see what I'm talking about if you search Google with the following terms:

SOFTWARE FULFILLMENT SERVICE HP

This search term will generate multiple hits. If you follow the customer service links, you will see that you're landing on pages that reveal the customer's name, the customer's mailing address, and the type of computer that the customer owns.

If you then pick other unique phrases and search for those on Google, you will also discover scores of pages that are making private user data available to the entire Internet.

The sad thing about the current state of HP customer service is the fact that one cannot actually get through to a human being in the corporate office who (a) realizes this is a problem and (b) is sufficiently empowered to fix it.

I don't have endless hours to spend trying to make HP do the right thing, so I figured that I would spread the word via this forum. If we all post one or two messages in various forums about this problem, HP will eventually be compelled to act. Eventually, someone with a brain will realize that it's not acceptable to expose private customer addresses and computer information on the Internet. Please help me raise awareness of this issue so HP takes action to solve this problem.

Aaron

 

No problem:

https://warp1.external.hp.com/CSO_S...01&Zipcode=79423&order_type=cso&country=&pv=1

https://warp1.external.hp.com/CSO_S...er=01&Zipcode=23113&order_type=cso&country=US

https://warp1.external.hp.com/CSO_S...&Zipcode=93923&order_type=cso&country=US&pv=1

https://warp1.external.hp.com/cso_s...&Zipcode=68114&order_type=cso&country=US&pv=1

 

Indrek,

I did not suggest that HP exposed links; they are exposing customer data. I'm not contending that HP should completely shut down their customer support system.

Surely, you can agree that it is not good for customer contact information to be exposed on the Internet. I discovered this problem because it seemed that "software fulfillment service" was an inaccurate description of my computer's failure. When I googled the term for a description of the problem, I ended up stumbling across mailing address details for other customers. This troubled me.

The answer to this problem is simple. HP needs to configure their customer support database so that web crawlers cannot index those pages.

I didn't say that the problem is dire. I said that it is a problem, and there is no easy way to reach someone at HP who is capable of saying "Yikes! We're exposing some of our customer details to the web? That's not supposed to happen. Thanks for the heads up. We will fix this immediately."

This scenario might sound far-fetched, but imagine that I'm a black-hat hacker who is interested in causing some mischief. I see that a large furniture store in a midwestern state has returned their Pavilion laptop for repairs. This ticket gives me the exact location of the store and details about the laptop. This would provide an excellent basis for social engineering attacks of the sort described by Kevin Mitnick in his book.

Again, I'm not saying this is the end of times. Planes will not fall from the sky. But it *is* a problem. It *is* easy to fix. I posted something in the forums, because this is one of the few ways that consumers can bypass the Kafkaesque voice mail trees erected by HP.

Thanks,
Aaron

 

Also, you suggested that this handful of pages might be showing up in search results because someone linked to them from another page. This is a good point, and it raises the need for some sort of password or authentication step.

Do I think HP would do something like this deliberately? Of course not. I'm not insane. Do I think HP would make mistake a like this out of negligence? Certainly.

 

Indrek,

This is less than dire, but it is more than a minor technical issue.

Scores may have been a slight exaggeration, but I would wager that there are more than 40 pages that have been exposed in this way, and that would technically meet the definition.

Are you saying that it is impossible for HP to solve this problem?

It has been a while since I last used a robots.txt file, and I realize that they're not perfect. If a robots.txt file won't keep Google from indexing pages and serving them up in text results, a password requirement seems logical.

You suggested that every other delivery service does this. Can you demonstrate that it's possible to reach those pages via a Google search without knowing the customer number? If you can actually show *hits* instead of entry pages, then I guess you're right. If Apple and Federal Express can't keep that information completely private, you've made a good case for the difficulty of doing so. However, if you can't show that random Google searchers would land on those pages, it suggests that there are security solutions that HP is negligent for not implementing.

Am I making a big deal out of nothing? You tell me. Go ahead and post your name, mailing address and phone number in these public forums. Also, please let us know your make of computer with the precise serial number and the exact version of Windows (or whatever else) you happen to be running.

Aaron

 

I find it interesting that you are so eager to blame the users in this situation. And you are so quick to defend HP. I'm not sure what your day job is, but I sure hope it does not involve any sort of user-focused customer support.

 

Wait. It just occurred to me that we can search Google for sites that point to other hyperlinks. If your theory is correct, shouldn't we be able to track down the sites supposedly linking to these customer status pages? Or have all of these supposed sites mysteriously been taken down?

 

Indrek,

The other flaw in your logic is the suggestion that there are only five or six pages. There may only be five or six pages with that particular type of failure (e.g. software fulfillment), but you can search for key phrases on the generic customer support page and track down other pages for different types of hardware failure. When you then feed those into a Google search, you pull down additional pages. Granted that it's still a very small subset of what must be a much larger database, but it is more than five or six pages.

 

I find it funny that people think their address and phone number are private information.

 

what customers are buying from HP is private information.

 

If there are only 5-6 hits, then it is somewhat likely that these customers posted those URLS somewhere and a web crawl picked them up.

So, blame the user for being an idiot and linking such info on a site (somewhere), and blame HP for not requiring passwords for fulfillment.

There, problem solved. We can blame everyone and not take sides

 

Oh my gosh, I bought a computer from HP. I am so upset that private information got out. Get real.

There are much more serious things to worry about.

 

Really....

BFD

 

Search in google:

site:warp1.external.hp.com "Customer Service Order Status" "billing address"