UK website data insecurity worries: Users in bits over car break-up emails
Don't break my car... my achy brake-y car.. or is that do?
Updated Popular car parts website PartsGateway.co.uk is dangerously insecure, a veteran UK security consultant warns.
The warning from Paul Moore comes in the midst of ongoing social media complaints (example here) by customers who say they have received phishing mails containing personal addresses and phone numbers. One of the users said the phishing email had been sent to an address they had provided only to PartsGateway. Dodgy emails appeared in the guise of legitimate-looking order confirmations.
El Reg learned of the issue as the result of a tip-off from a concerned reader. The free-to-consumers web-based service had yet to respond to repeated requests for comment at the time of publication. We'll update if we hear more.
We did note a tweet from Parts Gateway's Twitter account to one user that claimed its tech team was investigating the spam, however:
@Chutzpah84 Hi Rob. We do not sell customer information. We have had a few report receiving a phishing e-mail and our tech guys are on it.— PartsGateway (@PartsGateway) February 8, 2017
Users faced with a similar lack of feedback have flagged up concerns with data privacy watchdogs at the ICO.
Paul Moore said he has identified a number of security shortcomings with the site, including a reliance on plain-text passwords and a lack of TLS encryption.
"With an 11-year-old version of Apache, a seven-year-old version of PHP, no security headers whatsoever, weak TLS and no meaningful authentication, it was only a matter of time before Partsgateway became a statistic," Moore told El Reg.
PartsGateway says it allows UK motorists to hunt down the best deals on genuine new or used car and van parts. Customers can compare new and used car part prices from more than 180 car-breakers at no cost to themselves. ®
Updated at 10.03 GMT on Friday 17 February to add: Still no word from PartsGateway to us at El Reg, but we've been forwarded copies of its emails to customers admitting a breach and advising them to change their email addresses.
"Unfortunately we were the victims of an attack where the perpetrators were able to gain access via a V Bulletin work forum to access the user database," PartsGateway told its customers. "We must stress no financial records are stored."