Sears isn’t having much luck these days.
First, they install spyware on their customers’ computers. If you “join the Sears community”, they install a proxy on your computer and intercept all web traffic.
Ugly, ugly, idiocy.
Now, it turns out they have a major logic flaw on their website. As reported by Brian Krebs at Security Fix, anyone can see anyone else’s purchase history with just their name, address, and phone number. Have those white pages handy? It seems to cover both online and offline purchases.
If you’re not paying attention to logic flaws in your databases and applications, this is a great example. While it’s good to make life easy for your customers, it’s bad when you make it easy for your next door neighbor to figure out if you really bought those new hedging shears that coincidentally look just like the ones they lost out of their shed last month.
This exploit was easily preventable with just a modicum of thought and the most cursory security review. Sears is too big a company to make this kind of mistake.
And the spyware? Sheer stupidity by someone in marketing is my guess. Maybe they and whoever screwed up at Sony BMG went to the same marketing school.
Reader interactions
2 Replies to “Second Major Privacy Breach At Sears: Very Bad Logical Flaw”
I am willing to bet that the proxy agent has no security. Given how this was thought out, security never entered what little conscious thought they had. The agent could probably be used to stream information back to the database, either flood it with bogus data or a nice SQL injection of a custom stored procedure. Unfortunately, the proxy agent probably has the provision to check for updates and patch itself, which means it could modified or externally controlled, and thus becomes a Trojan. And speaking of Sony Rootkit, think they wrote an uninstall program? I thought not.
Actually, you only need the phone number or the address. And you don’‘t need the first name. So with just a last name and phone number, you can look up someone’s purchase history.
Company directory with emergency numbers? PTA member list? Go wild!
Not to mention their comically bad captchas. “all” with the middle l italicized; “wise” with the i italicized. This is absurd.