New Harbor Freight website has MAJOR security hole!!!

They will I am sure.

It's a nice looking website. More clean and professional rather than industrial looking. The search function works better. Now if they would just add all the service and repair parts from the master catalog. That was the main thing I found lacking in the old cart system. They had never done all the data entry for all the repair and service parts. You could search by item number if you knew it, but if you didn't it was impossible to find via the site.

Some folks may not like the clean and professional look now. The old cart system had that rough oily feel of actually being in a Harbor Freight store. You could almost smell the machine oil and the cosmoline. I kinda liked that. Then I think a shop that doesn't smell of oil, old varnishes, and spilled paint just isn't a shop.

I am OK with either look, but I realized there is one more problem: the old system let me keep my stuff in the shopping cart for weeks. So I would just put stuff in it for a while and then place an order. The new system empties the cart very quickly. This is EXTREMELY STUPID.

McMaster Carr also lets me keep a shopping cart almost forever. This is the way it should work.

i

That could be related to the other issue. If its loosing track of your cookies and thinking you are somebody else its not going to show what is in your shopping cart properly either.

I can't GARDEN TOOLS, LAWN EQUPIMENT stand the pop up windHAND TOOLSows that interfere any time AIR TOOLS that I try and mouse to CLEARANCE CLOSE OUTS something.

I think that you got it perfectly right.

i

Harbor Freight Tools had written this in response to

: Thank you for contacting us about your experience on HarborFreight.com. We take our Customer?s Privacy and Security very seriously. Currently, we are investigating the issue you brought to our attention.

The site has been placed in Maintenance mode until we finish our investigation. We will reopen the site for business as soon as possible.

Thank you,

Harbor Freight Tools

##-----------------------------------------------## Delivered via

Forums Web and RSS access to your favorite newsgroup - rec.crafts.metalworking - 208626 messages and counting! ##-----------------------------------------------##

Harbor Freight Tools had written this in response to

: Thank you for contacting us about your experience on HarborFreight.com. We take our Customer?s Privacy and Security very seriously. Currently, we are investigating the issue you brought to our attention.

The site has been placed in Maintenance mode until we finish our investigation. We will reopen the site for business as soon as possible.

Thank you,

Harbor Freight Tools

##-----------------------------------------------## Delivered via

Forums Web and RSS access to your favorite newsgroup - rec.crafts.metalworking - 208626 messages and counting! ##-----------------------------------------------##

Got an Email reply from them. Seems that they tested the site and found the same thing I did. The message said they were putting the site on maintainance mode to test it more. Haven't tried it again but last night I could pull up random names just about every time.

I think that what happens is that they give everyone the same cookie (one cookie value given to everyone).

i

Agreed. Onmouseover CLICK HERE FOR GREAT DEAL coding is extremely POPDOWN MENU annoying when trying to PARTS AND ACCESSORIES just go from one VIEW YOUR CART area to another. JR Dweller in the cellar

Storm> I can't GARDEN TOOLS, LAWN EQUPIMENT stand the pop up

I wonder then if that was the case, if one could then deliberately fool the system by generating your own cookies and thus harvesting personal information deliberately?

On decent websites, cookies are hard to guess. My site algebra.com gives cookies like this:

Set-Cookie: algebra_session=99c16b978354929m73a48ag2e1d7a850; path=/; expires=Mon, 05-Jul-2010 21:21:30 GMT

(cookie slightly altered but looks same as the original). It is not easy to guess someone else's cookie.

i

expires=Mon, 05-Jul-2010 21:21:30 GMT

Do the cookies progress randomly or could one deduce the progression or regression from a limited sample? It would seem to me that if the cookie generation was not given a lot of thought, then on commercial sites, one might have the ability to sneak in and poke around.

I pulled the ones I had and all were different. I had saved them in a file in case they didn't believe it. Deleted it when I called and found they were working on it.

Talked to a human about it and was told that soon after my message came in they received more asking the same questions. I'm sort of surprised others didn't catch it first.

Should have asked for a unlimited gift card....

Anyway she said they were pulling the site until they could figure out the problem.

It's always a bit scary when you realise that you're the first person to report a bug!

BTDT

Mark Rand RTFM

[ ... ]

If I were generating cookies which could be used to access personal information, I would probably start with the process ID and the unix raw date, with the digits interleaved by some pattern, and then run a MD5 checksum on it to generate the actual cookie numbers. Depending on how serious the stored data was, I would probably toss another few randomizers into the game.

Enjoy, DoN.

Actually...I agree 100% with you.

Gunner

"First Law of Leftist Debate The more you present a leftist with factual evidence that is counter to his preconceived world view and the more difficult it becomes for him to refute it without losing face the chance of him calling you a racist, bigot, homophobe approaches infinity.

This is despite the thread you are in having not mentioned race or sexual preference in any way that is relevant to the subject." Grey Ghost

Seems to me (and I am no expert), that the ability to access personal info should be blocked from cookie access. To get to that data you should have to log in with password and ID. To do it otherwise seems to me to invite trouble

Yes -- but some systems *remember* that you have logged in based on cookies set for the session time only. HTTP is a "stateless" protocol, so it can't remember that you are logged in without some kind of help.

Better would be double-key encryption both ways of course.

Enjoy, DoN.