On Top Of Spying On Its Users, Sears Reveals Your Shopping Data To Anyone Who Wants It
from the well,-that's-useful dept
Weren't we just discussing the idea of criminal liability for egregious security problems with data? And... weren't we also just discussing Sears' offering to install spyware on your computer without much notice and all in the name of community? Well, let's combine those two stories. Ben Edelman has been doing some more digging on the Sears website and discovered a rather massive security hole allowing you to look up the purchases at Sears of just about anyone so long as you know their name, address and telephone number. As Edelman notes, this appears to be in direct violation of Sears' own privacy policy (and, well, common sense, but that's a different story...). So, now, Sears.com is spying on users without making it all that clear and revealing all customer purchase data with poorly implemented security. It's not a particularly comforting picture.Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: ben edelman, privacy, security, shopping data
Companies: sears
Reader Comments
Subscribe: RSS
View by: Time | Thread
[ link to this | view in thread ]
oooooh
[ link to this | view in thread ]
Wow, stupid Sears
[ link to this | view in thread ]
[ link to this | view in thread ]
What's the crime?
[ link to this | view in thread ]
Re: What's the crime?
Once they figure out how to spin it so that if you don't watch the 10 o'clock report you will DIE FROM THIS FLAW!
Unless you'll die, someone has already died, something will blow up, or someone will die from blowing it up... thus killing someone news really doesn't have the time to add it in.
You have to fit it between the fluff pieces on your local animal shelter animals up for adoption, the cutesy picture of kids doing some great service to mankind by selling (insert crappy item here) for (insert crappy charity here), and the sensationalized coverage of the election "Obama wins Iowa, Hillary to commit suicide?", etc etc...
[ link to this | view in thread ]
eBay History
I can also see everything you have sold. For example, I see that my nephew is selling the PS2 game I gave him. He's selling it as used, so either he beat it or he didn't like it.
[ link to this | view in thread ]
first discovered issue
http://community.ca.com/blogs/securityadvisor/archive/2007/12/20/sears-com-join-the-community-get- spyware.aspx
and then later followed up here:
http://community.ca.com/blogs/securityadvisor/archive/2008/01/03/managemyhome-com-another-privacy- issue-for-sears.aspx
"Heather said:
OMG! Check out a sears site managemyhome.com. Once you register you can look up purchase information for ANYONE by just putting in their name address and phone number. Sears has you enter a code and says that keeps you info safe, but that is pretty useless -- I think that just prevents a script from being created, but DOES NOT stop people from entering in any eles info to get the purchase info on big ticket items -- this could bring casing someone's house to a whole new level!!
I contacted the privace e-mail that the site provided, but no one ever responded. Anyone with any ideas about how to get this service off the web, I would be open to suggestions."
[ link to this | view in thread ]
#7
[ link to this | view in thread ]
Community
[ link to this | view in thread ]
Sears
;)
[ link to this | view in thread ]
Oh come on now...
created in house by Sears, of if they hired
a developer to do the work. That sort of
defect in security is for n00bs. It's the
developer that should be castigated.
I do not work at Sears. I do not shop at
Sears. There is no Sears store within
fourty miles of my home. But here's the
news...
Sears is in business to sell stuff- and most
of the stuff they sell is ok. The hand tools
are almost good. So the community web site
was botched. Yeah, it's a problem, Sears should
thank people for bringing it to their attention
and fix it now. I don't see it as a rational
basis to impune the entire company's reputation.
This seems to excite the knee jerk reaction
"big company, bad!" from some people. It
seems that Big has become a pejorative term
in nearly any case but government and fast
food.
[ link to this | view in thread ]
Re: Sears
[ link to this | view in thread ]
just tried it
[ link to this | view in thread ]
Re: Re: Sears
[ link to this | view in thread ]
Re: eBay History
[ link to this | view in thread ]
Re: #7
[ link to this | view in thread ]
Re: Re: Re: Sears
But wait, there's more.. If I know your name and telephone number and that you've made a purchase from Sears, it becomes a trivial task to social engineer other information as well.
"Hi, this is the Sears Warranty Support Center. I see that you recently purchased one of our plasma televisions but you neglected to get an extended warranty on it."
Customer: "What!?!?! I paid $300 for a 5 year service plan"
"Sorry, we don't have any record of that. Can you please tell me the credit card number you used for the purchase?........and that expires when??? Hmm, sorry, I still don't show anything...oh wait, here it is...they mistyped your DOB in our system. It's all fixed now. Sorry for the inconvenience"
It REALLY is that easy and the customer will thank the "representative" for helping resolve the "problem", and it's only that easy because all of that information is available.
P.S. We take all of the boxes to any expensive items and put them in front of some neighbor's house that we don't like. We do this regardless if it's Xmas or the like. So this year I imagine that some crackhead will break in trying to find their new Wii.
[ link to this | view in thread ]
Re: Re: Sears
To some this kind of info looks innocent enough, but to others it looks like a gold mind. Look up a neighborhood of names from mailboxes, or discarded mail, and have a field day on the few Holidays we do have each year. Just by checking out whom bought what, when, and how much that product may be worth on the streets.
I get the shivers just thinking about this. Bad idea on the part of Sears.
[ link to this | view in thread ]
Re: What's the crime?
In regards to the general media -- Sears was smart to pull the function very quickly before the media got a hold of it. I wonder if all the blogging increased traffic of hackers and people entering multiple addresses. They certainly did scurry to get the info off the website. I did see articles on yahoo news, abc news and the washington post, so although it has not gotten TV press, the word is spreading.
[ link to this | view in thread ]
Interested in Class Action
http://blog.washingtonpost.com/securityfix/2008/01/class_action_suit_alleges_sear.html
[ link to this | view in thread ]
http://findarticles.com/p/articles/mi_qn4155/is_20071109/ai_n21104858
This guy definitely gets the award for the stupidest web marketer of the year! Think I’ll shoot him and Alwyn an e-mail and let them know what I think about them giving out my personal information to the general public. Since they were so free with my info, I don’t have a problem sharing their info -- I got Alwyn’s e-mail address from a posting on the ca website Alewis1@searshc.com -- I would guess that Jim’s e-mail address is Jhilt00@searshc.com or jhilt01@searshc.com.
[ link to this | view in thread ]