TP LINK – RMA Website Failure to protect customers data revealing credit card numbers details & addresses.
Link still live as of 18:33 GMT 25th January 2017
Earlier today i brought to the attention of TP Link UK customer services my severe concerns that my invoice for a modem i purchased was public viewable to anyone with access to a web browser via an unprotected URL link. Luckily i purchased this modem with cash in PC World Chelmsford Essex, otherwise my credit card number would be viewable online as well as my name and address making it easy pickings for identity theft.
I was returned with the following email:
Sorry for the issue caused to you. I don’t think everyone can read your receipt cause someone has to login your account to see the detail of your case and from my side, I can’t see this receipt on our system, but I will definitely report it to our IT dep.
We will be happy to replace your faulty W9980. However if you are unhappy to pay £24 to get an advanced service, we could send out a replacement first by blocking the same value of W9980 on your credit card and we will unblock it as soon as you return your W9980 to us. If you agree with it, I will send you the form for you to sign and will arrange it for you.
RMA Processor UK
TP-Link UK Ltd
Unit 2-4 Riverview Cardiff Rd Reading RG1 8EW
I then decided to look further into this issue with the website security. This website is where anyone in the UK would register a product manufactured by TP Link, and part of registration involves uploading your receipt to validate the warranty period which usually carries your name address and sometimes credit card details depending on where you purchased it.
i logged out of my account and pasted the following url into my web browser https://warranty.uk.tp-link.com/MyProduct.aspx which i had cleared all the cookies and saved password and history. It supplied me with 2 customers invoices that could be viewed fully without any login. See video https://youtu.be/wgw6vqoVihI
This is yet another example of a company owned and operated from China which has taken a blatant disregard for its customers privacy and security.
I urge you all to check and ask for your information to be removed from this insecure companies website, as your data is publicly available to any hacker or cyber criminal to steal your information.
if you need any further help or advice in this matter please feel free to contact us on the contact link and we will try our best to get back to you in a timely manner.