Insurtech company Lemonade has refuted promises put forward by a shorter vendor that it has an “unforgivably negligent security flaw” on its website.
Muddy Waters Research LLC alleges that a vulnerability exists on Lemonade’s internet site that could perhaps expose customers’ individually identifiable info.
The investor promises that it was capable to log in to and edit Lemonade buyer accounts devoid of owning to enter any person qualifications.
In an open letter to Lemonade CEO Dan Schreiber dated May well 13, Muddy Waters CEO Carson Block wrote that the vulnerability was “so gaping” that research engines including Google, Bing, and the Wayback Machine have inadvertently accessed the internet site and indexed PII belonging to Lemonade prospects.
“By clicking on lookup effects from community research engines, we shockingly discovered ourselves logged in to and able to edit Lemonade customers’ accounts without having obtaining to provide any qualifications in any way!” wrote Block.
According to Muddy Waters, the flaw seems to have existed considering that at least July 2020, “but it is detectable by way of an industry typical off-the-shelf security tests software that expenditures $400 per yr.”
Block wrote that “it is obvious that Lemonade does not give a f*ck about securing its customers’ sensitive personal info.”
Lemonade denied the existence of a security flaw and stated that no security breach had taken place.
“We’ll try to make this small,” Lemonade told Infosecurity Magazine. “What Muddy Waters Investigate identified had been backlinks to 4 insurance policies estimates shared by Lemonade customers on their own (aka, they cherished it so significantly, they shared ’em).
“That’s not a vulnerability. We created our quotations to be shareable, so any individual can share their estimate with their loved ones, close friends, or home finance loan bank.
“Turns out some individuals also like to brag about their estimates on Pinterest and UX blogs. Here’s an example: https://reallygoodux.io/site/lemonade-user-onboarding. Due to the fact Google indexes Pinterest and blogs, these back links finish up remaining discoverable on Google, and Muddy Waters learned them.”
They extra: “We genuinely hope the individuals over at Muddy Waters Analysis did not commit far too much time on this.”
Muddy Waters went public with its report of an alleged security flaw before privately informing Lemonade of its intentions.
Some areas of this posting are sourced from: