Public data of Rozetka.ua users in the public domain

I came across this data source by accident. In my opinion, it's time to check what data our users give to users.



For reasons that I do not want to explain, I needed to get product reviews from the site rozetka.ua. When the site does not have a public API, then you have to look for more refined options. Parsing the HTML code of the pages left as an extreme option and began to search for more optimal ways to extract data.

The first thing I discovered was a mobile version of the site and, as it turned out, it is a SPA . All data using a simple API was pulled through AJAX requests. Access to everything that is required to receive feedback:

Category list:

http://m.rozetka.ua/?action=getJSONDataFromAdapter&m[0]=getOffersSections&p[0]=['123',0,15]

Product List:

http://m.rozetka.ua/?action=getJSONDataFromAdapter&m[0]=getOffersByParams&p[0]=['123',{},0,15]

List of reviews:

http://m.rozetka.ua/?action=getJSONDataFromAdapter&m[0]=getCommentsByOffer&p[0]=['123',0,15]

By the way, p [0] needed to do URL encoding 2 times. Why this was done is a mystery.

As soon as I got to the reviews, I saw the following picture:

{
  "content": [
    {
      "result": {
        "_0": {
          "text": "[ТутБылТекстОтзыва]",
          "created": "2015-02-13T17:22:17+02:00",
          "user": {
            "title": "Вася",
            "email": "вася@example.com"
          },
          "positive_vote_count": "0",
          "negative_vote_count": "0",
          "rating": "0",
          "percent_dignity": "0"
        },
        ...
        "_3": {
          "text": "[ТутБылТекстОтзыва]",
          "created": "2015-02-09T11:30:44+02:00",
          "user": {
            "title": "Виктор Викторович",
            "email": "виктор@example.com"
          },
          "positive_vote_count": "1",
          "negative_vote_count": "0",
          "rating": "0",
          "percent_dignity": "100"
        }
      },
      "code": "0"
    }
  ],
  "code": 1
}

As you can see, in addition to the username there is also his email. It is necessary to mention a few facts about the reviews in this online store:
  • Email for authorized users is substituted automatically;
  • You can’t post a review without an email;
  • All reviews are moderated;
  • Some people indicate, in addition to the name, the surname / middle name.

So, we have a large database of emails with names, and sometimes with last names, targeting certain groups of products. Since I had never dealt with the insides of the Rosette, I decided that this answer would probably be corrected soon and forgot about this site for a month.

In February this year, Rosette rolled out a redesign and I decided to check the status of the vulnerability in the mobile version. It turned out that the API version was updated to the 3rd (apparently, there was a second version earlier), in which the structure of requests and responses was slightly changed. Going to the feedback page and opening developer tools showed that email no longer comes in response to a request. Only the name field remains. On this one could stop and forget about this case. But interest overcame me and I decided to fulfill the request using the old link. To which the browser returned the same answer to me successfully. The old API is not closed, the vulnerability is in place.

The next day, a letter was written to the developers of the online store. They answered me promptly, confirmed the vulnerability and after a few hours the API of the second version was covered. As I understand it, this API was originally used for internal needs, and when it was made public, the email remained. After the arrival of the third version, the second version continued to work.

As always, the simplest inattention in our profession can lead to sad consequences ...

Also popular now: