Exposed data included each customer’s full contact info (name, physical address, email address, telephone number, etc), the PGP product & version level purchased by the customer, and the customer’s operating system (Windows or Mac).
For some customers, partial credit card information were also exposed, including the type of card the customer used (Visa, Amex, etc.), the last four digits of the card, the card’s expiration date, and the first & last name associated with the card.
The type and amount of data exposed could have subjected PGP customers to an extremely effective targeted phishing attack, especially considering PGP’s reputation as a leader in the data protection market.
The vulnerability involved an Insecure Direct Object Reference on a product renewal URL which was not protected by any form of authentication.
This vulnerability was disclosed to PGP on October 17, 2009. PGP acknowledged the issue on October 22 and implemented a fix; however, my re-testing indicated the problem was not resolved (results communicated back to them on the same day). Sent follow-up email on November 5 as there were no updates from PGP. On November 9, PGP responded that they were planning to add authentication to protect the renewal function. Verified vulnerability still existed on November 11. Issue appears to have been fixed on November 12.