SpudFiles

Apparently if you are logged in and send the link to a product, The URL actualy includes your account info. So if you have a stored credit card number someone can just order stuff and have it sent to you.

Further more to log into someones account all you need is their email address. It does not prompt you for a password.

I will only be doing phone orders until they get this fixed and have since cleared all my information out.

Wow, that's not good. Thanks for the heads-up.

Sooooo, whats your email, I need to order some stuff and have you pay for it.

But really, how did you find this out?

I posted a link to something in another forum. and someone Messaged me and told me about it. I then verified it by clearing all my cookies and hitting the link. and then i did it from another computer.

I also cleared my cookies and went to the website and noticed they didnt ask me for a password to log in.

Did you send them a message about it?

Just went there and copied and pasted this --

Security


The security of your information is important to us. We have several controls in place to keep your address, contact, and credit card information safe.

When you visit McMaster.com we can tell if you’re using the same computer that you’ve used during a previous visit by looking for a cookie. A cookie is a small text file stored in a temporary folder of your web browser. Cookies are commonly used to retain and speed the transfer of information between websites and personal computers. The file does not contain any personal information and cannot be used to harm or access information on your computer. If you have a cookie, you will be able to see your personal account information.

If you visit us from a different computer that does not have your cookie or you have deleted your cookie, you can retrieve your personal information by providing your e-mail address or user name. If you are coming from a different network than you have used in the past, we will prompt you for your password, to verify your identity.

Whenever we transmit your credit card information over the Internet, we use the industry standard Secure Socket Layer (SSL) encryption. Your full credit card number is never displayed or accessible from anywhere on our website. When you use a saved credit card, we only include the last four digits of the credit card number on the order page so you can tell which credit card you used. You cannot edit your credit card number online, only the nickname for the card and the expiration date.


If your company has security guidelines that require you to provide a user name and password before gaining access to your personal account information on a website, you can change your security preference below.

Recommended The web site will normally remember all of your information. If you visit us from a computer on a different network, you can retrieve your information by providing your user name and password.

Very High You have to sign in with your user name and password each time you visit to access any of your saved account information (e.g. addresses, custom shipping method, saved credit cards, etc.).
If you close your browser or click "Sign Out" you will have to sign in again before gaining access to your account information.

From the surcurity link at the bottem of the webpage.

Interesting thing is, the McMaster URL stays the same the entire time... so the only way you would be able to link someone to a product is if you were to actually isolate the frame it is showing in and send someone that URL.

This is probably why it's designed that way.

As far as the login thing goes I don't know, I have never saved a number anywhere like that... nor have I ever made an account there. However things ordered with your card would end up at your house, not someone else's.

Link removed for privacy reasons by Pete Zaria. Sorry.

You guys hit that and see if the information on my account comes up.

socoj2 wrote:You guys hit that and see if the information on my account comes up.

The page is completely blank for me, can't see anything in either Firefox or Internet Explorer.

All I got was a blank page. You guys were making me nervous

Link removed for privacy reasons by Pete Zaria. Sorry.

Blank page with 1st link, page 69 with 2nd link. Nothing about anybodies account.

Second one points me at a page, but whether I can access details from there is uncertain.
It did flash up something the first time that looks like it might have been a link to an order history ... but try as I might, it won't appear again.

Holy Crap, If I go to your current order I can see your info...
I don't know if you did this but it doesn't still have your credit card number.

I was able to see your info, i just clicked the link you provided us than clicked current order. Rest assured, i didn't try to order anything but your information would be available to others with perhaps more malicious intent

Edit: Pizlo beat me in finding it

Wow this is good to know
im surprised that this actually happens i wont be posting any more mcmaster links anymore.