Samsung Is Reportedly Leaking Customer Data Who Are Buying Its Gorgeous New TVs
Samsung has been apparently leaking data of customers who have ordered products using the company's online store. Matt Metzger, an application security engineer, found the leak when he ordered a TV from the Korean tech giant. The flaw appears to be how data is being handled by Associated Global Systems, Samsung's partner that reportedly handles product shipments.
Is Samsung leaking customer information?
Samsung appears to be leaking user name, address, and other information when customers order from the company's online store. Metzger wrote on Medium about this discovery when he was buying a new TV from the popular TV maker. After he placed the order, Metzger received a URL to track his delivery. However, instead of only his order, he could see two order details when he clicked on the link. Metzger could see their order information, user name and address details.
When he contacted Samsung, the company said that tracking numbers are recycled every year, but he shouldn't be worried as his order is "first listed." Not only this, the tracking ID was also sequential, which ensures that anyone looking for data could scrap Samsung customers' data en masse. Possibly leaking data of thousands of clients this way, it is unclear why the data wasn't removed if the tracking numbers were "recycled" every year.
In his post, Metzger has talked about how this information could be used in social engineering attacks. He further added that following his receipt of the order, Samsung had attached a TIFF file to his order, which shows his full name, address, and signature.
AGS, Samsung's shipping partner, also has a tracking system using which someone could get access to user information, possibly many with attached TIFF files. While we are waiting for other security researchers to verify this report, our search on this tracking system didn't yield any results even with sequential order numbers. However, going by Metzger's report, it appears that whatever data you enter to order from Samsung's online store, you should consider it public. Your name, address, signature, order number, and phone numbers could be visible to anyone who is looking to get this data using a quick Google search.
When Metzger contacted Samsung, he was recommended to contact AGS directly. However, Metzger believes it's Samsung's responsibility to think about how user data is being handled by their shipping partners.
"I understand you would like this forward to our security team. Your request will need to be taken up with AGS. You will need to remove your information through AGS. We apologize for any inconveniences that may have impacted your experience with Samsung. We at Samsung appreciate your business, and we sincerely hope that this situation doesn’t deter you from continuing to purchase products of the Samsung brand." Samsung
We couldn't immediately get a response from Samsung but would update this story as soon as we do.