Apparently if you are logged in and send the link to a product, The URL actualy includes your account info. So if you have a stored credit card number someone can just order stuff and have it sent to you.
Further more to log into someones account all you need is their email address. It does not prompt you for a password.
I will only be doing phone orders until they get this fixed and have since cleared all my information out.
PSA -About Mcmaster's Website
-
potatoflinger
- Sergeant 2
- Posts: 1136
- Joined: Thu Nov 02, 2006 3:26 pm
- Location: Maryland
Wow, that's not good. Thanks for the heads-up.
It's hard to soar with eagles when you're working with turkeys.
I posted a link to something in another forum. and someone Messaged me and told me about it. I then verified it by clearing all my cookies and hitting the link. and then i did it from another computer.
I also cleared my cookies and went to the website and noticed they didnt ask me for a password to log in.
I also cleared my cookies and went to the website and noticed they didnt ask me for a password to log in.
-
jrrdw
- Moderator
- Posts: 6570
- Joined: Wed Nov 16, 2005 5:11 pm
- Location: Maryland
- Has thanked: 39 times
- Been thanked: 22 times
- Contact:
Did you send them a message about it?
Just went there and copied and pasted this --
Security
The security of your information is important to us. We have several controls in place to keep your address, contact, and credit card information safe.
When you visit McMaster.com we can tell if you’re using the same computer that you’ve used during a previous visit by looking for a cookie. A cookie is a small text file stored in a temporary folder of your web browser. Cookies are commonly used to retain and speed the transfer of information between websites and personal computers. The file does not contain any personal information and cannot be used to harm or access information on your computer. If you have a cookie, you will be able to see your personal account information.
If you visit us from a different computer that does not have your cookie or you have deleted your cookie, you can retrieve your personal information by providing your e-mail address or user name. If you are coming from a different network than you have used in the past, we will prompt you for your password, to verify your identity.
Whenever we transmit your credit card information over the Internet, we use the industry standard Secure Socket Layer (SSL) encryption. Your full credit card number is never displayed or accessible from anywhere on our website. When you use a saved credit card, we only include the last four digits of the credit card number on the order page so you can tell which credit card you used. You cannot edit your credit card number online, only the nickname for the card and the expiration date.
If your company has security guidelines that require you to provide a user name and password before gaining access to your personal account information on a website, you can change your security preference below.
Recommended The web site will normally remember all of your information. If you visit us from a computer on a different network, you can retrieve your information by providing your user name and password.
Very High You have to sign in with your user name and password each time you visit to access any of your saved account information (e.g. addresses, custom shipping method, saved credit cards, etc.).
If you close your browser or click "Sign Out" you will have to sign in again before gaining access to your account information.
From the surcurity link at the bottem of the webpage.
Just went there and copied and pasted this --
Security
The security of your information is important to us. We have several controls in place to keep your address, contact, and credit card information safe.
When you visit McMaster.com we can tell if you’re using the same computer that you’ve used during a previous visit by looking for a cookie. A cookie is a small text file stored in a temporary folder of your web browser. Cookies are commonly used to retain and speed the transfer of information between websites and personal computers. The file does not contain any personal information and cannot be used to harm or access information on your computer. If you have a cookie, you will be able to see your personal account information.
If you visit us from a different computer that does not have your cookie or you have deleted your cookie, you can retrieve your personal information by providing your e-mail address or user name. If you are coming from a different network than you have used in the past, we will prompt you for your password, to verify your identity.
Whenever we transmit your credit card information over the Internet, we use the industry standard Secure Socket Layer (SSL) encryption. Your full credit card number is never displayed or accessible from anywhere on our website. When you use a saved credit card, we only include the last four digits of the credit card number on the order page so you can tell which credit card you used. You cannot edit your credit card number online, only the nickname for the card and the expiration date.
If your company has security guidelines that require you to provide a user name and password before gaining access to your personal account information on a website, you can change your security preference below.
Recommended The web site will normally remember all of your information. If you visit us from a computer on a different network, you can retrieve your information by providing your user name and password.
Very High You have to sign in with your user name and password each time you visit to access any of your saved account information (e.g. addresses, custom shipping method, saved credit cards, etc.).
If you close your browser or click "Sign Out" you will have to sign in again before gaining access to your account information.
From the surcurity link at the bottem of the webpage.
-
PCGUY
- Owner
- Posts: 1434
- Joined: Wed Aug 18, 2004 10:54 pm
- Location: Illinois
- Has thanked: 2 times
- Been thanked: 26 times
- Contact:
Interesting thing is, the McMaster URL stays the same the entire time... so the only way you would be able to link someone to a product is if you were to actually isolate the frame it is showing in and send someone that URL.
This is probably why it's designed that way.
As far as the login thing goes I don't know, I have never saved a number anywhere like that... nor have I ever made an account there. However things ordered with your card would end up at your house, not someone else's.
This is probably why it's designed that way.
As far as the login thing goes I don't know, I have never saved a number anywhere like that... nor have I ever made an account there. However things ordered with your card would end up at your house, not someone else's.
Yes, I am the guy that owns & operates SpudFiles (along with our extremely helpful moderators).
The page is completely blank for me, can't see anything in either Firefox or Internet Explorer.socoj2 wrote:You guys hit that and see if the information on my account comes up.
Does that thing kinda look like a big cat to you?
Second one points me at a page, but whether I can access details from there is uncertain.
It did flash up something the first time that looks like it might have been a link to an order history ... but try as I might, it won't appear again.
It did flash up something the first time that looks like it might have been a link to an order history ... but try as I might, it won't appear again.
Does that thing kinda look like a big cat to you?
Holy Crap, If I go to your current order I can see your info...
I don't know if you did this but it doesn't still have your credit card number.
I don't know if you did this but it doesn't still have your credit card number.
-
daberno123
- Corporal
- Posts: 594
- Joined: Mon Nov 19, 2007 5:56 pm
- Location: Ohio
I was able to see your info, i just clicked the link you provided us than clicked current order. Rest assured, i didn't try to order anything but your information would be available to others with perhaps more malicious intent
Edit: Pizlo beat me in finding it
Edit: Pizlo beat me in finding it
-
bigbob12345
- Staff Sergeant
- Posts: 1516
- Joined: Sat Dec 01, 2007 9:13 am
- Location: Mercer Island,Washington
Wow this is good to know
im surprised that this actually happens i wont be posting any more mcmaster links anymore.
im surprised that this actually happens i wont be posting any more mcmaster links anymore.