Reminder: Don't Post Your Email

suggestions
fix-guide
issue

#1

In case you’re not aware, Pimax allows unthrottled public queries on their Check Your Order page without doing any kind of credential checks.

Once entered, the page lists your name , order details , full address , and phone number
…all in a neat pile of very much personally identifiable information essentially up for grabs with minimal effort (as in, I doxxed myself with a dozen lines of python. Just enter email and wait a minute.)

Note that changing your account details unfortunately does not affect the order details, so they’re available now and forever unless Pimax does something about it.

I have an open ticket with Pimax about the issue, but there’s not much hope there as the rep I got doesn’t seem to understand at all. ( “where you find this problem which I dont think so ?” )


#2

Maybe @PimaxUSA should be in the loop on this one.

If You could post the ticket number too, he can probably help out with any “translation” issues or at least show the guys the right direction… :slight_smile:


#3

They’re aware of it, but brushed it off and did some ego flaunting previously:


#4

I think we need pimax’s tech team to try & get this resolved to skip a bunch of red tape.

@Sean.Huang @xunshu @Doman.Chen @PimaxVR @Dallas.Hao

This is serious issue.


#5

Yeah really wouldn’t it be simple to check an order status with only entering order number? Otherwise to verify details login as said to see private details.

If a big star had their private discrete address made public…


#6

The latest reply from support is only more ignorance on the matter:

“Your personal information will be kept strictly confidential. Please rest assured.”

This very assuring reply came after I explicitly demonstrated their site is leaking data like a sieve, but support still refuses to acknowledge the issue at all.


#7

So if you have shared your email address with anyone, whether through PM or publicly, anyone who has it can view all your private info. This is not right Pimax, there is a BIG difference between sharing your email address and sharing your real first and last name and telephone number.

@PimaxUSA please talk some sense into this issue.


#8

This is correct.

Heliosurge reached out to me via PM and I’ve supplied them with the vulnerability details. Hoping it’ll finally go somewhere.

Support really really really doesn’t seem to understand anything I’ve said to them.