Individual Bestbuy email subscription pages are apparently indexed by Google

I stumbled upon this today because I googled a certain phrase and the first two results lead me to a personalized email (un)subscribe form with individual e-mail addresses at the top.

I thought that that was not great, so I submitted it to hackerone as per BB's responsible dislosure policy, but they closed the report and changed the status to "Informative".

> Thank you for your submission! Although your finding might appear to be a security vulnerability, this behavior does not really pose a concrete and exploitable risk to the platform. Bestbuy only view this as an issue if the links are obtainable from Bestbuy systems directly which doesn't appear to be the case here. Your effort is nonetheless appreciated and we wish that you'll continue to research and submit any future security issues you find.

Are they right, is this no big deal and am I overreacting?

Not sure if I should share the actual search term here that produces these URLs here, but I'd be happy to share it with dang.

5 points | by appel 1 day ago

1 comments

  • mindcrash 14 hours ago
    They should at least provide a meta tag or response header with noindex on those pages to prevent shit like this:

    https://developers.google.com/search/docs/crawling-indexing/...

    If they didn't BB did create a privacy leak, because in that case all those pages could be potentially indexed by GoogleBot or anyone else, and you should create some more noise in their direction.