Real Estate Giant Redfin Exposed Users’ Personal Info on Listing Contact Forms

Because of a website security snafu, the online real estate platform Redfin made random users’ names, email addresses, and phone numbers available to others who log onto listings. The vulnerability lasted less than a week, the company said.

The personal identification information became visible to other users who were viewing real estate listings. The information would appear momentarily when a contact information form popped up on a listing; the form would be pre-filled with details from past users, which would quickly vanish.

The contact information of past users, however, would remain visible when viewing the listing while disabling JavaScript, a programming language used to make interactive websites that can, in many browsers, be turned off in general or for specific sites.

Past users’ email addresses or phone numbers, and sometimes both, were displayed.

“We recently identified a technical error on the website that temporarily made it possible for the e-mail address and/or phone number of a previous visitor to be visible to another user on a rental listing page,” said Alina Ptaszynski, a Redfin spokesperson. “This error was active for less than a week and was remediated as soon as we were made aware of it.”

After The Intercept initially contacted Redfin, the company changed the way its website contact form is displayed for desktop web browsers, but the vulnerability persisted on mobile listings. After a subsequent inquiry from The Intercept, the mobile listings’ contact form was updated as well.

Redfin, a giant brokerage house that pioneered map-based online real estate listings, claims to have 50 million monthly users, according to Rocket, its parent company.

The data vulnerability only displayed one user’s contact information at a time, but data could have been collected en masse by someone making repeated visits to property listings and serially gathering available information. (Redfin did not respond to question about whether there was any evidence the vulnerability had been exploited to collect bulk user information.)

Using reverse phone number and email search databases, The Intercept confirmed that the email addresses and phone numbers are valid contact information belonging to real people, not just dummy data that developers sometimes use when testing their code.

Inadvertently revealing user information is a problem which has plagued web services for years.

Redfin’s privacy policy says the company may share private information, but only when the prompt to provide that data is accompanied by a disclosure. The property contact form, however, does not provide a disclaimer that a user’s contact information might be shared, let alone with subsequent users.