Helping people with computers... one answer at a time.

Online shopping is generally very safe, but online stores do need to make sure to keep each customer's information safe from the eyes of others.

When visiting an online shopping site I didn't log on - I just clicked the site from a google search. Someone else's shopping cart and info popped up. I'm concerned because I ordered from them recently. Of course it gave the option 'if I'm not "user name" click here', but why would I get someone else's information in the first place?

That's a little scary.

I'd want to see the amount of information that was presented before I passed final judgment, but even so - even if it was something as simple as their full name I'd consider that a privacy breach.

And I'd seriously reconsider shopping at that site again.

Let me review how this might have happened.

Who Are You?

We typically think of web sites using cookies to keep track of who you are while you're logged in and when you return. Cookies, of course, are local to your machine and are not visible to search engines and the like, so they represent a fairly reasonable way to do the job.

"What you've experienced ... simply shouldn't happen."

But they're not the only way.

In practice, many sites use a combination of cookies and parameters on the URL to keep track of what's happening.

What do I mean by "parameters on the URL"? Well, consider this link to a fictitious online retailer:

http://www.reallybigbookstore.com/

That'll take you to a site, and you'll be greeted as "visitor".

Now consider this variation:

http://www.reallybigbookstore.com/?name=Leo

You'll be greeted as "Leo". Change the "Leo" to whatever you like, and it'll greet you by whatever you've entered. That "Name=" after the question mark is a parameter - in fact on any URL, everything after the question mark is one or more parameters to the page.

Now, if you've looked, you're probably more likely to see parameters of the form:

... pf_rd_r=1QZ1KA166NCC9TNETGMW ...

In other words, parameter names are names that make no sense, and values that are indecipherable.

To you and me, maybe, but to the online store you might be visiting that might well be a customer ID reference, from which they can then pull your information from their databases so as to personalize your page.

Give someone else the link with that parameter and in a poorly designed system "they" could suddenly be "you".

OK, But ... From A Search Engine?

So how'd a link with someone else's customer ID (or whatever might be encoded there) get into a search engine?

A few different ways.

Essentially any technique that search engines use to "discover" pages on the internet is fair game. That means:

  • Perhaps it really is a link on a web page somewhere on purpose. Not sure why, but it could happen.

  • Perhaps someone shared a link with someone ("hey, look at this cool product") and copied the entire URL including the encoded information into a discussion group that was later spidered by a search engine and added to the search index. This is actually pretty common as people don't clean up URLs before posting.

  • Perhaps the person shopping was using a toolbar provided by a search engine. Often toolbars also report back to the search engine URLS viewed, and these URLs are then added to the search index.

Regardless, it's there and apparently relevant enough to rank highly for whatever it is you searched for.

It Shouldn't Happen

It's that simple.

I mentioned above that in a poorly designed system "they" could suddenly be "you".

That shouldn't happen.

What you've experienced - visiting a link and then seeing someone else's information for someone that was never on your computer - simply shouldn't happen. It's a privacy issue at least - even if you can't see anything else I don't want my name along side my shopping cart to be visible to anyone but me.

There are enough techniques available to web site designers to make sure that it doesn't happen.

I'd report the issue to the shopping site's customer service.

And then I'd think hard about whether I'd shop there again.

Article C4502 - October 30, 2010 « »

Share this article with your friends:

Share this article on Facebook Tweet this article Email a link to this article
Leo Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Not what you needed?

11 Comments
Mike
October 30, 2010 12:28 PM

Couldn't the issue have happened if a friend or relative of the person who asked the question visited that site on his computer but never logged out?

From the questioned I read that the information was for somone he did not know. I assume he would at least recognize the info had it been for someone previously using the computer.
Leo
01-Nov-2010

Mark Jacobs
October 31, 2010 2:17 AM

@Mike. That is very possible, except in this case, the person who wrote in would have recognized the name if that person was using his computer.

Steve.
October 31, 2010 12:00 PM

This happened to me one time at work about 4 years ago. I saw a coworkers account information when I logged into a site. I figured it had something to do with our network. He was never on my local computer so that is what I assumed at the time.

Glenn P.
November 2, 2010 12:36 PM

If the Other Person left without logging off and with clearing cookies, yes, the site might think you are that Other Person. Like Leo said, "It Shouldn't Happen" -- but hey, sh-t happens.

Actually, it happens to me  all the time, to my profound annoyance -- every time my sister visits -- because she absolutely never  bothers to log off. Which means that, before I can make proper use of the same site, not only do I  have to log off for  her, but I then have to go to the trouble of logging right back in  again... as myself  this time!

Sisters! Grrrrrr!!! Wouldn't you just LOVE  to put 'em through a meat grinder?     :>

David
November 2, 2010 1:14 PM

It wasn't stated in the question, but was the writer actually using his own home or work computer? If he was using a public computer at a library or school, it could be picking up the cookies of a previous user, who did not log out. One thing to make sure to check when using a computer that is not your own.

Mike
November 2, 2010 3:20 PM

It never occurred to me that a URL could contain identifying information, although I've never had such a problem. But it's good to know for future reference. Thanks. It's also another indictment of those damned toolbars that keep trying to sneak in during installations if they're sending out identifying information to the search crawlers.

Matt
November 2, 2010 6:42 PM

There is another way this may have happened....
PHP web pages have a thing called 'session state', which creates a file on the server end with a very long random filename. A cookie is then stored on the client's computer with the name of this file. Session state is used to store larger amounts of data, or anything that would be better off on the server end.

It is possible that this user randomly was assigned a name already in use. One could say that this is analogous to having your house key opening a door on the other side of the world.

Catz
November 2, 2010 11:17 PM

Just a comment about reporting it to the site's customer service - go a step further instead - report it to the site's IT people or the webmaster - typically the CS people do not care enough to deal with it or pass it on. (Been there, done that, to an online retailer, the CS had no clue what I was trying to tell her - asked for the IT dept, got transferred over and was able to explain the issue to the horrified tech. Was fixed promptly and I got an email from one of the mgrs and a 20% discount off my next order for my trouble.)

George
November 3, 2010 3:26 AM

There's still another way to get this sh*tty behaviour: it again involves other people not logging off. But then, if your router or other communication equipment is not "permanently" connected to your provider (like when using ISDN, and yes, that still is fairly used), then upon disconnection the (dynamic) IP-address of the first user gets freed. When you then connect to the provider, you might get this same IP. And if then you visit the same store, it may identify the IP, consider the uncorrect (without logoff) disconnection as a possible technical problem and try to restore the session. The intention is OK, but the process can lead to the "wrong" user being greeted .... This probably will happen most often with large providers and/or stores. The only way to avoid this kind of disclosure is (as others have stated already) to always disconnect only after having closed the session with logoff, signout or whatever ...

Stan
November 4, 2010 4:24 PM

Hi, Leo,

In David's response he raises the question I have and which you did not address in your response - Was the computer being used a personal or public computer? Many people use public computers (libraries, etc.) as I have on occasion myself, and I have had the experience of going to a site through a public computer and finding the site already active but with someone else ID because they had not logged off when they finished and many sites do not have a time out setting to cancel log ins after a certain period of inactivity.

Eli Coten
November 10, 2010 8:51 AM

I read the article but didn't see this possibility mentioned:
Could be that someone else previously used the same computer and logged into that online store and never logged out and for some reason their session never expired.

Comments on this entry are closed.

If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.

If you don't find your answer, head out to http://askleo.com/ask to ask your question.