Sears isn’t having much luck these days.

First, they install spyware on their customers’ computers. If you “join the Sears community”, they install a proxy on your computer and intercept all web traffic.

Ugly, ugly, idiocy.

Now, it turns out they have a major logic flaw on their website. As reported by Brian Krebs at Security Fix, anyone can see anyone else’s purchase history with just their name, address, and phone number. Have those white pages handy? It seems to cover both online and offline purchases.

If you’re not paying attention to logic flaws in your databases and applications, this is a great example. While it’s good to make life easy for your customers, it’s bad when you make it easy for your next door neighbor to figure out if you really bought those new hedging shears that coincidentally look just like the ones they lost out of their shed last month.

This exploit was easily preventable with just a modicum of thought and the most cursory security review. Sears is too big a company to make this kind of mistake.

And the spyware? Sheer stupidity by someone in marketing is my guess. Maybe they and whoever screwed up at Sony BMG went to the same marketing school.

Share: