Harbor Freight website redesigned

DO NOT USE IT!!!!

The new site has a MAJOR security issue.

I went there and looked it over. Yes it's slow. They have a notice that if you had an account prior to the 19 you need to sign up for a new one.

I clicked the account button to create a new account. Instead of getting any type of account log in or sign-up page I was sent to the account of a person who lives in the 914 area of NY. Thinking this was a minor glitch I tried to exit and reload the page. It brought up a new page with the account information of a person in Wisconsin!

I closed down the browser, flushed the memory and went back to the site to see if I could get in. Went to the same "secure" section of the site and tried the account button again. It took me to yet another members account information!

I just sent the customer service an E-mail about it but don't know if they will take action.

I just tried the same thing, and did not get your result.

i

What browser are you using?

I just tried it again with the same results.

Next time I got the info for a person from Tennessee!

And this time it was a person from Massachusetts!

I got a 'create new account' page. I clicked the speaker icon to get an audio challenge, rather than type the two words shown. Expected to hear the two words... instead ... it was funny!

Well I just cleared the cache and went back again. This time I got results for a male in California!

I would say this is a problem if it is only one machine that can do it. Oh and by information I mean the persons Mailing address, Shipping address, Credit card number, order information, personal settings, E-mail settings, reorder and cancellation info as well as the ability to change any of the above!

All the same stuff that I would expect to be able to access as a customer signed in to my own account. Which I STILL haven't been able to get to.

I got a person from WA.

I e-mailed him and left a phone message so he could make sure his credit card info had not been compromised also.

Thanks for the heads up.

Hmmm... I haven't been able bring up any leaked info using Safari on my Mac. However, I've never had an account with HF either... so I guess I don't have a dog in this fight.

HF's administrative and technical contact phone, address and e-mail info can easily be had by running:

harborfreight.com

through:

I was going to just post the contact info here, but then had second thoughts... all I need now is HF brass snapping up my ass.

If HF had any of my info, I'd be on them like a starving Chihuahua on a pork chop.

Hope no one gets burned...

Erik

March 5, 2010 FTC: Web Site Security Seals Are Lies Retail Realities: The Federal Trade Commission Proved What Most Suspected: There's Nothing Behind Those Seals

(CBS) This column was written by Evan Schuman, the editor of StorefrontBacktalk, a site that tracks retail technology, e-commerce and security issues. Retail Realities appears every Friday. Evan can be reached at E-mail and on Twitter.

The U.S. Federal Trade Commission (FTC) last week screamed "the Emperor has no clothes" by reporting to consumers that one of the largest firms issuing "Verified Secure Breach Protection" seals doesn?t really verify much at all. The practical impact of the ruling for E-Commerce sites is unclear, both because the FTC has little authority to enforce its rulings and because consumers have typically been impressively apathetic about security and privacy issues.

The settlement against five-year-old ControlScan said that "contrary to the statements" ControlScan made to retailers, the company "in many instances conducted little or no verification of the privacy and/or security protections for consumer information provided by companies displaying its Business Background Reviewed, Registered Member, Privacy Protected and Privacy Reviewed seals. Instead, in many instances, ControlScan provided the Registered Member seal to a company that failed to qualify for the Verified Secure seal because an electronic scan of its Web site identified an actual or potential severe vulnerability on the Web site and permitted the company to display the seal indefinitely while taking no action to assess whether the company was working to resolve any vulnerability identified by the Web site scan."

That last charge is particularly significant because it moves these accusations beyond mere neglect (they never bothered to check) to true, all-American lying (they checked, found bad stuff and gave them the seal anyway, as long as they paid their bill).

. . .

I get the create new account page, using Firefox 2 on a Win98 PC (but it's backward and upside down inside a spiffy Mac G4 case)

Ouch! That's a security risk!

Not as of yet.

I just got : Contact Information | Edit Moses King snipped-for-privacy@yahoo.com Change Password

On Thu, 29 Apr 2010 23:30:49 -0400, "Steve W." had a flock of green cheek conures squawk out:

I get an invalid security certificate due to wrong url and being self-signed for the links to account, register, and track. URL not found for contact us, store finder and other. Order from catalog does nothing.

Firefox 3.63 and Win7x64.

The website stopped working altogether.

My thinking is that they purchased the software from the same place where they buy their stuff for sale, namely from The People's Noodle and Best Precise Instrument Factory And Website Development Corporation of Dunginbung, China. I hope that they did not pay as much.

i

Cen-Soft....

Thank you for contacting us about your experience on HarborFreight.com. We take our Customer=92s Privacy and Security very seriously. Currently, we are investigating the issue you brought to our attention.

The site has been placed in Maintenance mode until we finish our investigation. We will reopen the site for business as soon as possible.

Thank you,

Harbor Freight Tools

Maybe they fixed it by now but they left out machining tools.

Wes

--Now that the Chinese have infiltrated they're making their power grab, eh? Not surprised..

[ ... ]

As of 22:45 EDT *someone* got through to them. I see an image (not text) which says that the site is "Currently unavailable due to scheduled maintenance) and offering a phone number for placing an order, or to complete one in progress.

:-)

I'm glad that I have never registered with them either.

Enjoy, DoN.