Flipkart.com exposes user’s email id, name, address

Do you like this story?      

flipkartI am a new Flipkart user. I very much like Flipkart for the wide range of products available, low price, 24 x 7 customer care, in-time delivery. By looking at Flipkart’s facebook page facebook.com/flipkart which has more than 850k people following, I believe Flipkart will have a minimum of 1 million users.

I recently ordered a Canon Lide 110 scanner from Flipkart, and got a email next day with a link to track my order.  The order tracking page has details about shipping to help us to track where the package is. I wanted to quickly check if the order page is available only for my login session or for anyone in the web. Shockingly, the url works for anyone, and it is even enabled for search engine crawling.

Just a simple google search will give you a lot of Flipkart order details. From these links, you will notice

- The email id of the user is available in the url of tracking page

- User’s name, City, Pin code available in the tracking page

Below is just a few of the Flipkart user’s order details available in public.

I would recommend Flipkart to do one of the following to ensure users’ privacy.

- Make the order tracking page available only for the signed in user who made that order

- or, at least Remove these order tracking pages from Google’s search results (How to do this)

I am also sending this post as an email to business@flipkart.com to take an action.


Got an immediate response from Flipkart CEO saying they will soon fix this.