Por que você deve se preocupar com vazamento de dados no seu site

Why you should be concerned about data leakage on your website

Lately I've been paying a lot of attention to issues related to data protection, and I've been wondering how companies are adapting to the changes new guidelines that the LGPD has been bringing since August 2020.

I then decided to explore the security of a website, with the goal of understanding how difficult it would be to find a security flaw, and to my surprise, it did not take 5 minutes to have access to a very serious flaw.

In this article I will tell a little about how I found this flaw that could lead to a data leak and even penalty by law for the company. Remembering that this exploit had a clear objective and no ill intentions, soon afterwards the company was communicated in order to deal in a correct way with the error.

How did I find the error?

When I talk about exploitation, some people may be in doubt about what it means. Basically, it is a series of actions and code analysis that allows you to understand architecture and also find errors like this security error.

In this exploration I used a simple software to search for APIs called Insomnia. In it it is possible to interact with APIs, without very advanced techniques.

home da insomnia

With the software installed on my computer, I started testing the API's of a certain site. Starting from the principle of information exchange, since it is the basic way to test the security of a site, and where there is a greater volume of exchange is usually through the newsletter, so I signed up for the site.

Soon after I finished my registration, I received the first email validation trigger, through an exposed API.

I accessed the documentation of the platform the site is hosted on and understood how this API works on a site. With this, I discovered that the email search was open within the code, giving me access to the following api:

/api/dataentities/NS/search?_where=email is not null&_fields=email

With this simple information I was able to access the data of all the people who signed up for the brand's newsletter. I was surprised, because I imagined that it would be more difficult and elaborate to find a serious error like this.

Just as it was easy to find this error, the fix is also quick by blocking this API.

How to avoid data leakage on your website?

Considering LGPDIn the event that a company is the victim of a data leak, the responsibility lies entirely with the company. In these cases, it can be treated with a warning or a fine of 2% on the turnover, depending on the case, the activity can be suspended by the Justice.

To avoiding security breaches and data leakageIt is necessary to have a technical team that does security tests periodically to find flaws and correct errors. Keep in mind that the more systems involved, the greater the communication between them, increasing the chances of a security breach. It is up to your security architect to understand how your site is working, so that you don't run the risk of compromising your clients and your brand.

If you want to dig deeper into the subject and understand how LGPD impacts your business, access our e-book "A guide to LGPD".

ebook: Um guia sobre a LGPD

Keep an eye on your site's security! Talk to one of our consultants about the projects we carry out to help clients with data leakage.

Back to blog

Leave a comment

Please note, comments need to be approved before they are published.

Qual o próximo passo? Vamos evoluir o seu e-commerce hoje.

Transform the shopping experience of digital channels!
Our team of experts awaits your contact to understand how we can make your business evolve today with the best strategies and technologies on the market.

Talk to an expert

A Codeby precisa das informações de contato que você nos fornece para contatá-lo sobre nossos produtos e serviços. Você pode cancelar a assinatura dessas comunicações a qualquer momento. Para obter informações sobre como cancelar a inscrição, bem como nossas práticas de privacidade e compromisso de proteger sua privacidade, consulte nossa Política de Privacidade.

Solutions

  • Vtex Solutions
  • Digital Commerce
  • Digital Marketing
  • Digital Transformation
  • Data Transformation

About us

  • We are a Tech
  • We are a Team
  • We are a Keyrus Company
  • Carreira
  • Parceiros

Cases

  • Nossos Cases

Perspectives

  • Blog
  • Ebooks

Get in touch

  • Talk to an expert

Rua Bandeira Paulista, 275 - 1º Andar | ECOMFY TECNOLOGIA E DESENVOLVIMENTO LTDA | CNPJ 30.084.751/0001-02
© 2023, Codeby | Technology for Business Powered by Shopify

Privacy Policy