[ic] MAGJOR New Account BUG!!!

Eric Hull eric@webuildpcs.com
Mon, 30 Oct 2000 09:54:27 -0600

This is a BIG PROBLEM - here is an email I recieved from a customer:

There appears to be a possible security problem with your site.
I just tried to create an account at your site, and it appeared to
accept the account name ("wendy") and password that I entered, then
displayed the message "Welcome to webuildpcs.com, Theresia!" The account
information associated with that name is for a Theresia Edgar, in GA,
and it has nothing to do with me.
	From a customer's perspective, this is very disturbing. If this
Theresia is a real person, there is no way I should have been able to
see her account information, accidentally or otherwise. It certainly
does not inspire customer confidence in your security! If, on the other
hand, that account information is intended as a "blank", a starting point,
I would have to suggest to you that it is a bad idea, as it is confusing
and misleading at best. At worst, it looks like a security breach which
would undoubtedly turn customers away. Blank fields would be better.
	The primary reason that I am telling you about this is so that if
it is in fact a security issue, you can correct it before someone takes
malicious advantage of it. The other reason is that I worked in customer
service for a long time, and was constantly told that 90% of the customers
who go to competitors to do their business will never tell you why. So
when someone submits a complaint or request, it is a rare chance to fix
a problem that is probably coming between you and many, many more potential
customers than just the ones who bother to tell you..
	In the meantime, I do still want to order two computer cases from
you, but given the nature of the problem, I'm going to be prudent and
wait until business hours to call the order in.

What the heck is the problem with IC?
we have searched and searched and found no docs on this or even where to
"refresh" this page - I have to take our site ofline now and that means I
will be losing $$$

Eric Hull

-----Original Message-----
From: interchange-users-admin@minivend.com
[mailto:interchange-users-admin@minivend.com]On Behalf Of Strider
Sent: Thursday, October 26, 2000 9:36 PM
To: interchange-users@minivend.com
Subject: Re: [ic] MAGJOR New Account BUG!!!

    I will second this as I have seen the same thing here in testing, I
think this
is part of the error handling schema and a lack on the part of Interchange
to tell
if this is the first time or not this form is being displayed to a user.
other words there seems to be a big flaw in the state checking of the order
anyone have any ideas?

    BTW, we have our first store in production and all seems well the URL is
http://www.greenpond.com and any comments or questions are always
appreciated, you
can send them to me or info@pwrgroup.com.   :-)

Beriah Dutcher wrote:

> Hey Everybody,
>         Well, my interchange web is doing good. Been getting 200 hits a
day and
> LOTS of items placed in baskets. However, FEW orders placed. I equated
> to first, the lack of a Secure Cert, second the price of shipping, then
> yesterday I found a slight problem. When I got the secure thing fixed and
> the shipping was dropped all the way to EXACTY what UPS charges we were
> STILL not getting orders.  So I had a phone order yesterday and asked the
> customer to go through the web and place an order(gave him 5 bucks off his
> purchase :) ) He called back with the problem at hand. When creating a new
> account either fromt he login page or the processing page link. The new
> account page fills itself in with the data of LAST person that created an
> account!!! Very VERY bad. This gives out the person address and phone and
> EVERYTHING. I have not figured out why this is happening so I thought I
> would write the list.
> Beriah
> _______________________________________________
> Interchange-users mailing list
> Interchange-users@www.minivend.com
> http://www.minivend.com/mailman/listinfo/interchange-users

Strider Centaur

   " It is my observation that unless you really understand the issues, you
hardly in a position to criticize.   Nearly all Linux users have used
but very few Windows users have used Linux. " -- Me

Interchange-users mailing list