HP is exposing private user information to the entire web

[Aaron D.]

Hi folks,

HP's customer service database is configured in such a way that private consumer information is being exposed to the entire Internet. Please help me put an end to this.

You can see what I'm talking about if you search Google with the following terms:

SOFTWARE FULFILLMENT SERVICE HP

This search term will generate multiple hits. If you follow the customer service links, you will see that you're landing on pages that reveal the customer's name, the customer's mailing address, and the type of computer that the customer owns.

If you then pick other unique phrases and search for those on Google, you will also discover scores of pages that are making private user data available to the entire Internet.

The sad thing about the current state of HP customer service is the fact that one cannot actually get through to a human being in the corporate office who (a) realizes this is a problem and (b) is sufficiently empowered to fix it.

I don't have endless hours to spend trying to make HP do the right thing, so I figured that I would spread the word via this forum. If we all post one or two messages in various forums about this problem, HP will eventually be compelled to act. Eventually, someone with a brain will realize that it's not acceptable to expose private customer addresses and computer information on the Internet. Please help me raise awareness of this issue so HP takes action to solve this problem.

Aaron

[Indrek]

I'm not seeing any of those "customer service links" that you mentioned. Can you give a more specific starting point than Google search terms?

[Aaron D.]

No problem:

https://warp1.external.hp.com/CSO_St...&country=&pv=1

https://warp1.external.hp.com/CSO_St...cso&country=US

https://warp1.external.hp.com/CSO_St...ountry=US&pv=1

https://warp1.external.hp.com/cso_st...ountry=US&pv=1

[Indrek]

Okay, so the starting point is HP's order tracking site:
https://warp1.external.hp.com/cso_st...der_Lookup.asp

In order to see the details of an order, one would need to enter the order number and the ZIP code, which presumably only the person who placed the order would know. I don't see how this is different from any other order tracking system, and it certainly doesn't qualify as HP "exposing private user information to the entire web".

Moreover, searching for specific phrases present on the order tracking pages (like "Customer service order status") returns only about 5-6 unique results. Maybe I'm doing something wrong, but I'm definitely not seeing "scores of pages" with private information being publicly accessible. Those few pages probably got indexed because the person linked to them on another site or something. At least there's no reason to believe HP exposed those links (whether deliberately, out of negligence, or for some other reason).

Hypothetically, though, if the situation really was as bad as you make it sound, what would you expect HP to do about it? Shut down their order tracking system? I don't think customers would be very happy about that.

[Aaron D.]

Indrek,

I did not suggest that HP exposed links; they are exposing customer data. I'm not contending that HP should completely shut down their customer support system.

Surely, you can agree that it is not good for customer contact information to be exposed on the Internet. I discovered this problem because it seemed that "software fulfillment service" was an inaccurate description of my computer's failure. When I googled the term for a description of the problem, I ended up stumbling across mailing address details for other customers. This troubled me.

The answer to this problem is simple. HP needs to configure their customer support database so that web crawlers cannot index those pages.

I didn't say that the problem is dire. I said that it is a problem, and there is no easy way to reach someone at HP who is capable of saying "Yikes! We're exposing some of our customer details to the web? That's not supposed to happen. Thanks for the heads up. We will fix this immediately."

This scenario might sound far-fetched, but imagine that I'm a black-hat hacker who is interested in causing some mischief. I see that a large furniture store in a midwestern state has returned their Pavilion laptop for repairs. This ticket gives me the exact location of the store and details about the laptop. This would provide an excellent basis for social engineering attacks of the sort described by Kevin Mitnick in his book.

Again, I'm not saying this is the end of times. Planes will not fall from the sky. But it *is* a problem. It *is* easy to fix. I posted something in the forums, because this is one of the few ways that consumers can bypass the Kafkaesque voice mail trees erected by HP.

Thanks,
Aaron

[Aaron D.]

Also, you suggested that this handful of pages might be showing up in search results because someone linked to them from another page. This is a good point, and it raises the need for some sort of password or authentication step.

Do I think HP would do something like this deliberately? Of course not. I'm not insane. Do I think HP would make mistake a like this out of negligence? Certainly.

[Indrek]

I did not suggest that HP exposed links; they are exposing customer data.

Surely, you can agree that it is not good for customer contact information to be exposed on the Internet.

I can agree that it's not good, but I can't agree that it's HP that's exposing the data. If a customer posts a link to their order status on an external site¹, then they're the one exposing their private data, not HP.

¹ Of course we don't know for sure that's what happened, but it's the best explanation I can come up with for how only those 5-6 specific links got indexed and the thousands of others that surely must exist in HP's database didn't.

The answer to this problem is simple. HP needs to configure their customer support database so that web crawlers cannot index those pages.

Fair enough, a reasonable suggestion. Though achieving "cannot" is, of course, impossible. The best they can do is "shouldn't", and that still won't prevent humans from following those links. This, coupled with the fact that you'd have to search for some pretty specific terms to stumble upon these pages in the first place means that some common sense on the part of the customer would achieve a lot more than any measures HP could employ against web crawlers.

I didn't say that the problem is dire.

You certainly implied so, with phrases like "private consumer information is being exposed to the entire Internet" and "scores of pages that are making private user data available to the entire Internet". I can see now that you only meant to express your frustration at being unable to reach anyone at HP about a minor technical issue.

Do I think HP would make mistake a like this out of negligence? Certainly.

What mistake, exactly? Creating an online order tracking system that works just like those of many other computer manufacturers, not to mention pretty much any parcel delivery service?

[Aaron D.]

Indrek,

This is less than dire, but it is more than a minor technical issue.

Scores may have been a slight exaggeration, but I would wager that there are more than 40 pages that have been exposed in this way, and that would technically meet the definition.

Are you saying that it is impossible for HP to solve this problem?

It has been a while since I last used a robots.txt file, and I realize that they're not perfect. If a robots.txt file won't keep Google from indexing pages and serving them up in text results, a password requirement seems logical.

You suggested that every other delivery service does this. Can you demonstrate that it's possible to reach those pages via a Google search without knowing the customer number? If you can actually show *hits* instead of entry pages, then I guess you're right. If Apple and Federal Express can't keep that information completely private, you've made a good case for the difficulty of doing so. However, if you can't show that random Google searchers would land on those pages, it suggests that there are security solutions that HP is negligent for not implementing.

Am I making a big deal out of nothing? You tell me. Go ahead and post your name, mailing address and phone number in these public forums. Also, please let us know your make of computer with the precise serial number and the exact version of Windows (or whatever else) you happen to be running.

Aaron

[Indrek]

Scores may have been a slight exaggeration, but I would wager that there are more than 40 pages that have been exposed in this way, and that would technically meet the definition.

Wager, eh? Have you actually checked, or are you just guessing? Because I couldn't find more than 5-6.

Are you saying that it is impossible for HP to solve this problem?

Not impossible. Unless by "this problem" you mean human stupidity, in which case, yes, it is.

It has been a while since I last used a robots.txt file, and I realize that they're not perfect. If a robots.txt file won't keep Google from indexing pages and serving them up in text results, a password requirement seems logical.

Requiring a password would certainly help. But in the absence of any evidence that this is an actual problem rather than just a few users being negligent with their private information, I'm not sure the added inconvenience would be worth it.

You suggested that every other delivery service does this. Can you demonstrate that it's possible to reach those pages via a Google search without knowing the customer number? If you can actually show *hits* instead of entry pages, then I guess you're right.

Sure thing. Just have some people post links to their order pages on public websites and wait a while, and I'm sure search engines will pick them up sooner or later. Unless and until someone does that, it's not going to be possible to find random order status pages for Dell, Lenovo, Apple etc. through search engines, just like it's not possible to find random order status pages for HP through search engines, only the specific few ones that have been leaked (again, probably by the customer themselves, not HP).

If Apple and Federal Express can't keep that information completely private, you've made a good case for the difficulty of doing so.

Since it's on a publicly accessible site, that information can never be completely private, regardless of whether you're talking about HP, Apple, FedEx or someone else. Since there's a limited number of possible order numbers and a limited number of postal codes in the US, one can always use a brute force approach. Obviously its not feasible for finding the personal information for any significant amount of customers, but there's no guarantee that someone won't input your order number and postal code by pure chance and thus gain access to your personal information. Therefore that information can never be completely private. QED.

Am I making a big deal out of nothing? You tell me. Go ahead and post your name, mailing address and phone number in these public forums. Also, please let us know your make of computer with the precise serial number and the exact version of Windows (or whatever else) you happen to be running.

Why would I want to do that? If you're trying to make the point that people can actually be that stupid, go ahead and post your own information.

Though it should be noted that, like many other forum members, I've posted some of my computer's specs in my profile.

[Aaron D.]

I find it interesting that you are so eager to blame the users in this situation. And you are so quick to defend HP. I'm not sure what your day job is, but I sure hope it does not involve any sort of user-focused customer support.