PSA -About Mcmaster's Website

[pizlo]

Edit: Pizlo beat me in finding it

[Pete Zaria]

This is indeed a big security vulnerability. It not only allows for potential privacy breeches, but opens the door to session hijacking and capturing of financial information.

socoj2, I'm going to remove the links you posted with your personal mcmaster link, for privacy and legal reasons.

Peace,
Pete Zaria.

[PCGUY]

I have contacted McMaster.

[Ragnarok]

Bloody hell, that really is a serious security flaw...

The way they've tried to get around it is just irresponsible.
Mind you, I never store any of my financial data on my computer or online, nor do I use automatic login on any internet store (forums - yes, just about everything else, no).

I'm not one to be careless with my details, so when I order, I'll manually enter my debit card number each time, and only after performing a full sweep of my PC for any possible phishing software.

I don't intend to fall foul of any scams, frauds, hacks or exploits.

[socoj2]

Heh I actually know what im doing. Its cool that some of you guys where not ready to believe me but. I blasted them in an email.... I am not happy at all. I checked my account when i found out about it and there was no outrageous errors. But someone did order a QEV and had it shipped to me. i also cancled that.

[socoj2]

Holy Crap, If I go to your current order I can see your info...
I don't know if you did this but it doesn't still have your credit card number.

that is because i DELETED my info from their site as soon as i found out about it...

[socoj2]

Just got a Mcmaster customer service rep. If you look at the bottom of their web page. Click on Security. It has two options Normal and VERY HIGH.

Very High will prompt you for an user name and password Every time to log into to your account.

I still consider the fact that it doesnt default to this blatantly stupid, and it pisses me off that they even took this chance with my account information.

[jimmy101]

Just got a Mcmaster customer service rep. If you look at the bottom of their web page. Click on Security. It has two options Normal and VERY HIGH.

Very High will prompt you for an user name and password Every time to log into to your account.

I still consider the fact that it doesnt default to this blatantly stupid, and it pisses me off that they even took this chance with my account information.

That really doesn't address the security issues, and someone should tell McMaster that.

Besides, it looks like critical information is being passed in URLs. That should never happen. Clearly this is a bug in the system. Autologin is bad enough but at least with that, if you send a link to another person, persumably on another machine, then the autologin shouldn't work and your accout info (except perhaps the user name) would still be protected.

[clide]

If you want to link to a product on McMaster you can use the following format:

http://www.mcmaster.com/nav/enter.asp?partnum=9528K131

Just replace the part after "=" with the part number you want to link to.