Vistaprint Logomaker files viewable due to insecure Amazon s3 bucket
Vistaprint. Everyone knows it and probably almost everyone knows somebody who has used the firm to design or print business cards, brochures, or other business-related stationery or marketing-related materials.
Recently I was on Vistaprint’s site to create a new logo for ctrlbox.com. To my unpleasant surprise, I discovered that the preview of my logo displayed in my cart of the item was hosted on an insecure Amazon s3 bucket that allowed viewing of more than 638,000 files.
Many of the files were default logomaker images, but many were also logos made by users of Vistaprint logomaker service. The logomaker service appears to be the only service on Vistaprint that is sharing files from an s3 bucket. All other services are made using another third-party web service that generates the previews and content to your chosen style.
While this is not a huge risk to personal security or even a leak of any personal data beyond some test or saved logos from an online service, it is yet another reminder that no matter how big a corporation you may be, mistakes can always happen with cloud services as they are used more and more frequently these days.
My first attempt to notify Vistaprint on December 28 was not wholly successful. I contacted them over Twitter, but after explaining to them what the problem was, their Twitter team told me whom to contact for any problems with my account. I had to explain again that this was not a problem with just my account but for everyone who used the logomaker service. Their reply to that was to assure me that they would forward my notification. They also thanked me for alerting them to the issue.
By 9 am that same day, the problem was fixed: the s3 bucket was not exposing its contents and the website cart was functioning fine.
In addition to notifying Vistaprint, I also contacted Cimpress, the parent company for Vistaprint. In the process of trying to find out how to contact them, I discovered that they have two other domains on the same IP address as their .com domain. Neither of these other domains have a proper SSL certificate, and both redirect to the .com domain if you approve the notification of a failed SSL certificate. That is obviously not good.
This relatively minor incident may leave readers wondering “Where are the millions of people affected?” That’s not what my reports on this site are about. We are not looking for FUD-type headlines, but to quietly and consistently help entities secure their data. In Vistaprint’s case, this is their second leak or exposure in one month. In November, Oliver Hough tried to notify them of a leak involving personal information. He had attempted contact via Twitter, but the way he went about it may not have helped Vistaprint’s Twitter team really understand his notification. When TechCrunch then contacted them (and ultimately reported on it), Vistaprint responded.
I have re-contacted Vistaprint to see if they would confirm that my report led to this being closed, but even without their reply, it seems pretty clear from the time frame that this is the case.
Research and reporting by Lee J.