back to article Pen Test Partners: Anyone could view Gumtree users' GPS location by pressing F12

UK online used goods bazaar Gumtree exposed its users' home addresses in the source code of its webpages, and then tried to squirm out of a bug bounty after infosec bods alerted it to the flaw. British company Pen Test Partners (PTP) spotted the data leakage, which meant anyone could view a Gumtree user's name and location ( …

  1. Mike 137 Silver badge

    In a statement Gumtree told The Register: "We were made aware..."

    "In a statement Gumtree told The Register: "We were made aware by a user of a security issue affecting our website source code"

    You mean your web 'developers' didn't know what their code did, and never looked at the page source?

    What a surprise.

    1. DomDF

      Re: In a statement Gumtree told The Register: "We were made aware..."

      Probably used one of those "no code" solutions.

      1. Hubert Cumberdale Silver badge

        Re: In a statement Gumtree told The Register: "We were made aware..."

        Yeah, that wasn't Pearl Jam's best album.

    2. loops

      Re: In a statement Gumtree told The Register: "We were made aware..."

      AKA: In a statement Gumtree told The Register "Fuck off, and when you've fucked off, kindly fuck off again".

  2. devin3782

    This kids is why you don't lazy load everything with Javascript building HTML from JSON source data because the tendency to pull the data from storage and serialise to JSON using your ORM layers built in functionality is so dangerous.

    1. Robert Grant

      Select * is just as easy to misuse and serialise. Funny how the problem is always the thing you don't like, isn't it?

      1. Hubert Cumberdale Silver badge

        I'm a big fan of Red Dwarf – great work.

  3. Richard Tobin


    "In both Firefox and Chrome, F12 opens the "view page source" developer tools screen".

    I just tried it, and all it did was turn the volume up.

    1. Claverhouse Silver badge

      Re: F12

      On Pale Moon --- just tried --- it merely opens the tabs Showcase --- If I want to view the Page Source, as often before, though not to look at people's uninteresting lives, it's under Tools on the menu-bar, or on the right-click menu.


      Of course with modern Devs *, the menu-bar is demode, and frequently has to be added after installation with oh, so many applications.



      * Earlier today, trying to find out what Adwaita was --- actually the default theme for Gnome, which this thread says the Gnome devs as is their wont are trying to make standard, preventing other themes... --- since the word used to come up in boot-up error messaging on OpenSUSE; these words rang true:


      Ever since GTK3 and gnome 3 its always been the sad story of change for the sake of change and the arbitrary removal of features.

      At this rate, gnome 5 will be just a non-customizable blue wallpaper with the only UI a cursor with no right or left click functions and the only way to do anything is to learn some asinine key combo that only 8 armed space aliens can do.

      GTK 5 will only have one UI option: the close button with little UI functionality requiring yet more asinine key combos, but this time only space aliens with 1000 arms can do them.


    2. Hubert Cumberdale Silver badge

      Re: F12

      ...meaning your laptop probably has a Fn key and is configured so that the F* keys are for some reason deemed to be a "legacy" option that you can reach by holding Fn down while pressing them.

      1. Claverhouse Silver badge

        Re: F12

        Laptop ? What are they ?

  4. DomDF

    Not another one

    First Guntrader, now Gumtree. At this rate there'll be nothing left in my house to steal.

  5. ThatOne Silver badge

    "We really don't care. Go away!"

    > Gumtree said [...]: "We take the privacy of our users very seriously"

    All was said.

    In this age and day who would dare use this utterly hackneyed statement which has come to mean the exact opposite of what it pretends?

    1. Hubert Cumberdale Silver badge

      Re: "We really don't care. Go away!"

      You have to feel sorry for them – after all, this was a very sophisticated cyber attack.

  6. Dave314159ggggdffsdds Silver badge

    This was a vulnerability worth reporting?! I always assumed they'd done it on purpose. You didn't need to play with developer tools in the browser to get the postcode. You just had to click on the map.

  7. Anonymous Coward
    Anonymous Coward

    Gumtree. Completely new word to me. It sounds like a dating service for octogenarians.

  8. spireite Silver badge

    Always thought Gumtree sounded like a dating site for old folks.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like