Reminder: Don't Post Your Email

rava · May 6, 2019, 5:46am

In case you’re not aware, Pimax allows unthrottled public queries on their Check Your Order page without doing any kind of credential checks.

Once entered, the page lists your name , order details , full address , and phone number
…all in a neat pile of very much personally identifiable information essentially up for grabs with minimal effort (as in, I doxxed myself with a dozen lines of python. Just enter email and wait a minute.)

Note that changing your account details unfortunately does not affect the order details, so they’re available now and forever unless Pimax does something about it.

I have an open ticket with Pimax about the issue, but there’s not much hope there as the rep I got doesn’t seem to understand at all. ( “where you find this problem which I dont think so ?” )

DrWilken · May 6, 2019, 7:37am

Maybe @PimaxUSA should be in the loop on this one.

If You could post the ticket number too, he can probably help out with any “translation” issues or at least show the guys the right direction…

rava · May 6, 2019, 8:47am

They’re aware of it, but brushed it off and did some ego flaunting previously:

Heliosurge · May 6, 2019, 4:35pm

I think we need pimax’s tech team to try & get this resolved to skip a bunch of red tape.

@Sean.Huang @deletedpimaxrep1 @Doman.Chen @PimaxVR @anon74848233

This is serious issue.

Heliosurge · May 6, 2019, 4:51pm

Yeah really wouldn’t it be simple to check an order status with only entering order number? Otherwise to verify details login as said to see private details.

If a big star had their private discrete address made public…

rava · May 15, 2019, 6:53am

The latest reply from support is only more ignorance on the matter:

“Your personal information will be kept strictly confidential. Please rest assured.”

This very assuring reply came after I explicitly demonstrated their site is leaking data like a sieve, but support still refuses to acknowledge the issue at all.

burstingtops · May 18, 2019, 12:46am

So if you have shared your email address with anyone, whether through PM or publicly, anyone who has it can view all your private info. This is not right Pimax, there is a BIG difference between sharing your email address and sharing your real first and last name and telephone number.

@PimaxUSA please talk some sense into this issue.

rava · May 20, 2019, 7:34am

This is correct.

Heliosurge reached out to me via PM and I’ve supplied them with the vulnerability details. Hoping it’ll finally go somewhere.

Support really really really doesn’t seem to understand anything I’ve said to them.

brian91292 · May 22, 2019, 3:36pm

I’m pretty sure Pimax uses a team of trained monkeys for their support team.

saraki · May 24, 2019, 3:42am

This system never gave me any info. The status was always blank then out of the blue I had an email with the tracking number. And yes, it was very late than Pimax implied in their order confirmation email. But the sad thing is that I feel that the staffs here are also stressed with the situation perhaps indicating that the individuals we deal with has no jurisdiction over solving the root cause.
I like the products despite the small quirks here and there so I really wish the company will fix their weakest part of the link.

rava · May 27, 2019, 11:53am

Interesting, it’s currently not doing anything on my end (no emails, no nothing.)

Hopefully something is being done.

rava · June 20, 2019, 7:16am

The Check Your Order page has been closed (good), but the backend is still up so the vulnerability remains (bad.)