Following a link to foxstore.com revealed another person's address, phone, and credit card information.
August 19, 2005 8:20 PM
Following a link to foxstore.com revealed another person's address, phone, and credit card information.
This evening Ms. Chyme followed this link to the "Buy It" link here; when the page loaded not only was the Simpsons DVD in the shopping cart, but also two more Simpsons DVDs and Garfield: the Movie, along with all of someone's personal information, including name, address, phone number, and all credit card information. The CC number is x'd out but for the last four digits, but the security code and everything else is in there. Presumably we could have ordered thousands of dollars worth of stuff and shipped it to this guy or, you know, to us. We Googled him and found that the information is correct. So, my questions: Why did this happen? Does the Fox Store have this bad a handle on its customers' data? Should we call him and let him know about this, or will he accuse us of "hacking the Gibson"?
Here is a screenshot with the relevant data removed.
This evening Ms. Chyme followed this link to the "Buy It" link here; when the page loaded not only was the Simpsons DVD in the shopping cart, but also two more Simpsons DVDs and Garfield: the Movie, along with all of someone's personal information, including name, address, phone number, and all credit card information. The CC number is x'd out but for the last four digits, but the security code and everything else is in there. Presumably we could have ordered thousands of dollars worth of stuff and shipped it to this guy or, you know, to us. We Googled him and found that the information is correct. So, my questions: Why did this happen? Does the Fox Store have this bad a handle on its customers' data? Should we call him and let him know about this, or will he accuse us of "hacking the Gibson"?
Here is a screenshot with the relevant data removed.
Heck, call Visa and let them know if you really want to stir things up. FWIW, the card association rules are very clear on the point that the card security code should not be stored in any way, shape, or form after the card has been authorized.
posted by trevyn at 9:20 PM on August 19, 2005
posted by trevyn at 9:20 PM on August 19, 2005
call the secret service U.S. Treasury division. They handle this stuff real well.
posted by Livewire Confusion at 6:00 AM on August 20, 2005
posted by Livewire Confusion at 6:00 AM on August 20, 2005
I had this happen years ago on CDNow, which was subsequently bought by Amazon. I contacted their support line -- after taking screenshots to prove that I wasn't making it up -- and let them know. It turned out to be a server error not releasing the session data from abandoned carts. Perhaps this is a similar situation.
posted by mkhall at 12:40 PM on August 20, 2005
posted by mkhall at 12:40 PM on August 20, 2005
This thread is closed to new comments.
Unfortunately, this kind of thing happens with some frequency. After all, the webstore is simply an application and is subject to bugs just like everything else.
Good luck,
Ed T.
posted by Lactoso at 8:46 PM on August 19, 2005