Major Online Retailer Let Customers Authenticate Without a Password for Over a Year

Everyone in the world is well aware of how consumer privacy is only taken semi-seriously by most service providers. Some companies do a better job than others, but there are very troublesome exceptions on the other end of the spectrum as well. One Hong Kong-based online retailer feels password protection is optional. Users can sign into their private account by just providing an email address. This platform is evidently asking for trouble.

A Bad Password is Better Than no Password

We live in the year 2017 and for some reason, there are still sites who feel passwords are an optional security measure. While it is true a lot of consumers use terrible passwords to protect their accounts and information, the option should always be there as a minimum security measure. Strawberrynet, a well-known Hong Kong online retailer, feels passwords are a thing of the past. Instead, they let users log in with just an email address, which is anything but secure.

It is unclear why the company cares so little about customer privacy, though. Considering the platform is often visited by people who want to buy things – and store their payment information accordingly – such a lack of protection is absolutely disgusting. An express checkout feature is one thing, but not asking for any form of proper authentication is just mind boggling.

One could argue this is a temporary measure which is currently being addressed by the Strawberrynet site developers. Unfortunately, that is not the case, as the entire platform has been built purposefully to avoid using passwords for the express checkout system. There is no reason anyone can justify such a decision, that much is certain. Moreover, it is impossible to comprehend no one pointed out this issue before and made a big deal of it.

In fact, one security researcher started investigating the platform in August of 2016. By correctly “guessing” an email address, he was able to view that particular customer’s name and address, as well as home and mobile phone numbers. Thankfully, no payment information was exposed, even though this clear lack of protection is still quite worrisome. Moreover, the researcher could modify existing account data except for payment information, which is not a good sign.

Don’t be mistaken in thinking Strawberrynet is not aware of this problem. The researcher reported his findings to the company, who promptly replied how “authenticating with just an email address provides sufficient security.” Such a lackluster stance toward proper consumer information protection is absolutely unacceptable. The company started obfuscating customer information, but a click “View Source:” of the web page still shows sensitive information stored in clear text values.

After facing a ton of public backlash for this security issue, it now appears Strawberrynet will finally let customers opt-in to enable password security. It only took them nearly a full year to finally implement a security feature which should have been present from day one. Anyone who takes their online privacy seriously and uses Strawberrynet for shopping purpose should move to a different platform asap.

If you liked this article, follow us on Twitter @themerklenews and make sure to subscribe to our newsletter to receive the latest bitcoin, cryptocurrency, and technology news.