Helping people with computers... one answer at a time.
Online shopping is generally very safe, but online stores do need to make sure to keep each customer's information safe from the eyes of others.
When visiting an online shopping site I didn't log on - I just clicked the site from a google search. Someone else's shopping cart and info popped up. I'm concerned because I ordered from them recently. Of course it gave the option 'if I'm not "user name" click here', but why would I get someone else's information in the first place?
•
That's a little scary.
I'd want to see the amount of information that was presented before I passed final judgment, but even so - even if it was something as simple as their full name I'd consider that a privacy breach.
And I'd seriously reconsider shopping at that site again.
Let me review how this might have happened.
•
Who Are You?
We typically think of web sites using cookies to keep track of who you are while you're logged in and when you return. Cookies, of course, are local to your machine and are not visible to search engines and the like, so they represent a fairly reasonable way to do the job.
But they're not the only way.
In practice, many sites use a combination of cookies and parameters on the URL to keep track of what's happening.
What do I mean by "parameters on the URL"? Well, consider this link to a fictitious online retailer:
http://www.reallybigbookstore.com/
That'll take you to a site, and you'll be greeted as "visitor".
Now consider this variation:
http://www.reallybigbookstore.com/?name=Leo
You'll be greeted as "Leo". Change the "Leo" to whatever you like, and it'll greet you by whatever you've entered. That "Name=" after the question mark is a parameter - in fact on any URL, everything after the question mark is one or more parameters to the page.
Now, if you've looked, you're probably more likely to see parameters of the form:
... pf_rd_r=1QZ1KA166NCC9TNETGMW ...
In other words, parameter names are names that make no sense, and values that are indecipherable.
To you and me, maybe, but to the online store you might be visiting that might well be a customer ID reference, from which they can then pull your information from their databases so as to personalize your page.
Give someone else the link with that parameter and in a poorly designed system "they" could suddenly be "you".
OK, But ... From A Search Engine?
So how'd a link with someone else's customer ID (or whatever might be encoded there) get into a search engine?
A few different ways.
Essentially any technique that search engines use to "discover" pages on the internet is fair game. That means:
-
Perhaps it really is a link on a web page somewhere on purpose. Not sure why, but it could happen.
-
Perhaps someone shared a link with someone ("hey, look at this cool product") and copied the entire URL including the encoded information into a discussion group that was later spidered by a search engine and added to the search index. This is actually pretty common as people don't clean up URLs before posting.
-
Perhaps the person shopping was using a toolbar provided by a search engine. Often toolbars also report back to the search engine URLS viewed, and these URLs are then added to the search index.
Regardless, it's there and apparently relevant enough to rank highly for whatever it is you searched for.
It Shouldn't Happen
It's that simple.
I mentioned above that in a poorly designed system "they" could suddenly be "you".
That shouldn't happen.
What you've experienced - visiting a link and then seeing someone else's information for someone that was never on your computer - simply shouldn't happen. It's a privacy issue at least - even if you can't see anything else I don't want my name along side my shopping cart to be visible to anyone but me.
There are enough techniques available to web site designers to make sure that it doesn't happen.
I'd report the issue to the shopping site's customer service.
And then I'd think hard about whether I'd shop there again.
Article C4502 - October 30, 2010 « »
Leo A. Notenboom has been playing with computers since he
was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed.
After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers
to common computer and technical questions. More about Leo.
November 2, 2010 6:42 PM
There is another way this may have happened....
PHP web pages have a thing called 'session state', which creates a file on the server end with a very long random filename. A cookie is then stored on the client's computer with the name of this file. Session state is used to store larger amounts of data, or anything that would be better off on the server end.
It is possible that this user randomly was assigned a name already in use. One could say that this is analogous to having your house key opening a door on the other side of the world.
November 2, 2010 11:17 PM
Just a comment about reporting it to the site's customer service - go a step further instead - report it to the site's IT people or the webmaster - typically the CS people do not care enough to deal with it or pass it on. (Been there, done that, to an online retailer, the CS had no clue what I was trying to tell her - asked for the IT dept, got transferred over and was able to explain the issue to the horrified tech. Was fixed promptly and I got an email from one of the mgrs and a 20% discount off my next order for my trouble.)
November 3, 2010 3:26 AM
There's still another way to get this sh*tty behaviour: it again involves other people not logging off. But then, if your router or other communication equipment is not "permanently" connected to your provider (like when using ISDN, and yes, that still is fairly used), then upon disconnection the (dynamic) IP-address of the first user gets freed. When you then connect to the provider, you might get this same IP. And if then you visit the same store, it may identify the IP, consider the uncorrect (without logoff) disconnection as a possible technical problem and try to restore the session. The intention is OK, but the process can lead to the "wrong" user being greeted .... This probably will happen most often with large providers and/or stores. The only way to avoid this kind of disclosure is (as others have stated already) to always disconnect only after having closed the session with logoff, signout or whatever ...
November 4, 2010 4:24 PM
Hi, Leo,
In David's response he raises the question I have and which you did not address in your response - Was the computer being used a personal or public computer? Many people use public computers (libraries, etc.) as I have on occasion myself, and I have had the experience of going to a site through a public computer and finding the site already active but with someone else ID because they had not logged off when they finished and many sites do not have a time out setting to cancel log ins after a certain period of inactivity.
November 10, 2010 8:51 AM
I read the article but didn't see this possibility mentioned:
Could be that someone else previously used the same computer and logged into that online store and never logged out and for some reason their session never expired.