SpudFiles

Your Spud Cannon Community
https://www.spudfiles.com/

PSA -About Mcmaster's Website

https://www.spudfiles.com/viewtopic.php?t=13195

Page 2 of 2

Posted: Sun Feb 17, 2008 8:58 pm
by pizlo
daberno123 wrote:
Edit: Pizlo beat me in finding it
Image

Posted: Sun Feb 17, 2008 8:59 pm
by Pete Zaria
This is indeed a big security vulnerability. It not only allows for potential privacy breeches, but opens the door to session hijacking and capturing of financial information.

socoj2, I'm going to remove the links you posted with your personal mcmaster link, for privacy and legal reasons.

Peace,
Pete Zaria.

Posted: Sun Feb 17, 2008 9:03 pm
by PCGUY
I have contacted McMaster.

Posted: Sun Feb 17, 2008 9:34 pm
by Ragnarok
Bloody hell, that really is a serious security flaw...

The way they've tried to get around it is just irresponsible.
Mind you, I never store any of my financial data on my computer or online, nor do I use automatic login on any internet store (forums - yes, just about everything else, no).

I'm not one to be careless with my details, so when I order, I'll manually enter my debit card number each time, and only after performing a full sweep of my PC for any possible phishing software.

I don't intend to fall foul of any scams, frauds, hacks or exploits.

Posted: Mon Feb 18, 2008 12:09 am
by socoj2
Heh I actually know what im doing. Its cool that some of you guys where not ready to believe me but. I blasted them in an email.... I am not happy at all. I checked my account when i found out about it and there was no outrageous errors. But someone did order a QEV and had it shipped to me. i also cancled that.

Posted: Mon Feb 18, 2008 12:09 am
by socoj2
pizlo wrote:Holy Crap, If I go to your current order I can see your info...
I don't know if you did this but it doesn't still have your credit card number.
Image




Image
that is because i DELETED my info from their site as soon as i found out about it...

Posted: Mon Feb 18, 2008 9:56 am
by socoj2
Just got a Mcmaster customer service rep. If you look at the bottom of their web page. Click on Security. It has two options Normal and VERY HIGH.

Very High will prompt you for an user name and password Every time to log into to your account.

I still consider the fact that it doesnt default to this blatantly stupid, and it pisses me off that they even took this chance with my account information.

Posted: Mon Feb 18, 2008 3:38 pm
by jimmy101
socoj2 wrote:Just got a Mcmaster customer service rep. If you look at the bottom of their web page. Click on Security. It has two options Normal and VERY HIGH.

Very High will prompt you for an user name and password Every time to log into to your account.

I still consider the fact that it doesnt default to this blatantly stupid, and it pisses me off that they even took this chance with my account information.
That really doesn't address the security issues, and someone should tell McMaster that.

Besides, it looks like critical information is being passed in URLs. That should never happen. Clearly this is a bug in the system. Autologin is bad enough but at least with that, if you send a link to another person, persumably on another machine, then the autologin shouldn't work and your accout info (except perhaps the user name) would still be protected.

Posted: Mon Feb 18, 2008 6:11 pm
by clide
If you want to link to a product on McMaster you can use the following format:

http://www.mcmaster.com/nav/enter.asp?partnum=9528K131

Just replace the part after "=" with the part number you want to link to.
All times are UTC-05:00
Page 2 of 2

Powered by phpBB® Forum Software © phpBB Limited