Redfin's Listing Contact Forms Exposed Users' Personal Info for Less than a Week
In a shocking security lapse, the online real estate giant Redfin made users' personal info available to others who logged onto its listings. A website security snafu left users' names, email addresses, and phone numbers exposed for less than a week.
The vulnerability occurred when users accessed contact information forms on listings. The form would pop up with details from past users, which would temporarily vanish. However, the contact info of past users remained visible even after disabling JavaScript, leaving their email addresses or phone numbers – sometimes both – open to prying eyes.
When confronted about the issue, Redfin spokesperson Alina Ptaszynski claimed that a technical error was responsible for the vulnerability and that it was quickly remedied. However, a subsequent investigation by The Intercept revealed that the company failed to address the problem on mobile listings until after multiple inquiries from the news outlet.
The security breach has raised concerns about data protection at Redfin, which boasts 50 million monthly users according to its parent company Rocket. While the vulnerability displayed only one user's contact information at a time, it could have been exploited by someone repeatedly visiting property listings and gathering available info en masse – with no indication that such exploitation had occurred.
The incident highlights the ongoing struggle for web services to balance functionality with data protection. In this case, Redfin's privacy policy states that private information may be shared only when accompanied by a clear disclosure – a principle not fully adhered to in the contact form's design.
As The Intercept noted, inadvertently revealing user info is an all-too-common problem plaguing web services for years.
In a shocking security lapse, the online real estate giant Redfin made users' personal info available to others who logged onto its listings. A website security snafu left users' names, email addresses, and phone numbers exposed for less than a week.
The vulnerability occurred when users accessed contact information forms on listings. The form would pop up with details from past users, which would temporarily vanish. However, the contact info of past users remained visible even after disabling JavaScript, leaving their email addresses or phone numbers – sometimes both – open to prying eyes.
When confronted about the issue, Redfin spokesperson Alina Ptaszynski claimed that a technical error was responsible for the vulnerability and that it was quickly remedied. However, a subsequent investigation by The Intercept revealed that the company failed to address the problem on mobile listings until after multiple inquiries from the news outlet.
The security breach has raised concerns about data protection at Redfin, which boasts 50 million monthly users according to its parent company Rocket. While the vulnerability displayed only one user's contact information at a time, it could have been exploited by someone repeatedly visiting property listings and gathering available info en masse – with no indication that such exploitation had occurred.
The incident highlights the ongoing struggle for web services to balance functionality with data protection. In this case, Redfin's privacy policy states that private information may be shared only when accompanied by a clear disclosure – a principle not fully adhered to in the contact form's design.
As The Intercept noted, inadvertently revealing user info is an all-too-common problem plaguing web services for years.
Redfin's security breach was super lazy and it's just crazy how much info they exposed online. Like what if someone saw their email or phone number? It's not like it's a secret identity or anything, but still. And the fact that it took them so long to fix the issue on mobile listings is just embarrassing. I mean, come on 50 million users is not something to be taken lightly! You'd think they'd have better tech in place to protect all that info. Now my kid's teaching me about web security and I'm like "yep I got this one wrong". Guess it's a good lesson learned for both of us 
I'm shocked Redfin didn't think twice about leaving users' personal info out there 
. 50 million monthly users is a lot of people to compromise 
. It's crazy that it took multiple inquiries from The Intercept for them to fix the issue on mobile listings 
.
. This is just another reason why I'll be shopping around for a new real estate platform 
.
. It's like web services are always playing catch-up when it comes to security 
. The Intercept pointed out that this kind of thing happens all the time - it's just frustrating because we're all getting more careful about our online safety 
.
. But still, I'm keeping a close eye on my own online presence 
this redfin thingy gotta get its act together! i mean, 50 million users and still can't protect their info? that's like leaving a door wide open to potential hackers. i'm not saying it was intentional, but come on, how hard is it to keep user info private? 
. A technical error, yeah sure... that's gotta be it... not like they just didn't care enough to test it properly 
. But seriously, this is a big deal and Redfin needs to step up their game when it comes to security. All this stress about data protection, like, get it together guys 
. 50 million monthly users is a lot, but apparently it wasn't enough to prevent this massive data leak 
. I mean, who visits property listings and gathers contact info en masse? sounds like Redfin is just giving out free information here... 
I'm just so frustrated with these tech giants and their lack of accountability 
. Redfin needs to step up their game and prioritize user security over convenience 