[BreachExchange] Nvidia Webpage Found Leaking Customer Email Addresses to Randos

Destry Winant destry at riskbasedsecurity.com
Wed Sep 30 10:33:15 EDT 2020


https://uk.pcmag.com/news-analysis/128808/nvidia-webpage-found-leaking-customer-email-addresses-to-randos

It appears Nvidia’s website accidentally leaked some customer email
addresses to anyone visiting the order status page.

On Friday, a user on Reddit brought up the problem with a screen shot,
which shows a random person’s email address popping up in the login
field on Nvidia’s website.

PCMag managed to replicate the issue on Nvidia’s order status page
when using Firefox. An email address to a stranger did indeed appear
in the login field. A quick Google search revealed the same email
address belonged to a college student in Florida who studies computer
science.

The incident has also affected software engineer Phil Bayfield, who
says a random person ended up learning his email address through the
leak on Nvidia’s website.

As evidence, Bayfield posted an email exchange between him and the
random person, which was first reported by TechTeamGB. The stranger
sent the email back on Monday in the hopes Bayfield had acquired
Nvidia’s newly-launched RTX 3080 card with the goal of buying it off
from him.

“Can I have your 3080?” the stranger asked.

“I don’t have a 3080,” Bayfield replied.

The stranger then proceeded to explain how Bayfield’s email was
exposed. “...somehow Nvidia’s website is leaking emails. It had your
email autofilled in the email address field when I clicked my order
status from my email. Weird,” the person said.

Bayfield told PCMag, “Well, I thought it was someone pranking me to be
honest,” before realizing the leak was real. He signed up for Nvidia’s
website about a week ago to try and obtain the RTX 3080. But doing so
only ending up exposing some of his personal information.

“What an absolute joke of a launch 30 series has been though,” he
added, alluding to how the 3080 card has been almost impossible to
obtain due to bots and resellers. “Not very impressed that they leaked
my email (even though it's not exactly a secret).”

Nvidia told PCMag: "We are investigating the issue and will provide
further information once it is available." In the meantime, the
company has taken the order status webpage down for maintenance.

It’s unclear how many users were affected in the leak, and what
information was exactly divulged. However, at least two users say they
even encountered credit card information partially exposed over
Nvidia’s order status page when the site was still up.


More information about the BreachExchange mailing list