Not long ago, I covered the Merkur hack from Lilith Wittmann – a glaring example of careless handling of sensitive data. And today, here we are again! Another service, another broken-by-design system. This time: the hotel chain Numa, exposing tens of thousands of identity documents to anyone with a URL and a browser.
What happened
I just came across this report by this post on Mastodon from the CCC. Their (german) post describes what happened. I’ll briefly try to outline it:
After checking out, a guest received a link to his invoice by email. Curiously, he clicked – and changed a number in the URL. And alas, passport scans, national IDs, and visa documents appeared. Not just his own, but thousands of others, completely unprotected.
Security by … Not even Obscurity
This is a textbook case of IDOR (Insecure Direct Object Reference). The simplest, most avoidable security flaw, where files are accessible just by guessing or incrementing an ID number. No login, no access control. Just a poorly designed.
But it gets even better!
But the “best” is covered in the last paragraph of the CCC post: “Anyone who has booked and paid for a room and received their check-in link has sufficiently confirmed their identity. An additional ID check including permanent storage is neither necessary nor legally tenable.“
So .. Numa has not just “lost” sensitive data – they have lost sensitive data that they shouldn’t have gathered from the beginning? Oh my …
Just as a reminder: Security isn’t optional. Sensitive data deserves more than … THAT.
Sources: