solarforceflashlight-sales.com - member list accessible by public

Its accessible directly from solarforceflashlight-sales.com. Its not just a google cache copy.

Seems to be fixed.
~ edit ~
(link deleted) Might still be vulnerable.

Still coming up on Google though

Its going to come up on google until they crawl solarforceflashlight-sales.com again.

Free DIY website design?

http://www.webs.com/

They have about 564*15 = 8460 buyers :slight_smile:

Don't spread the word...let them solve this asap before more people can "use" this..

Please dont post on other forums yet.

I hate to make accounts with these stupid vendors .I just pay with paypal and avoid their silly promotions ,points etc . the fact they ask for your phone number is just retarded .i've never given the correct number yet ... Welcome to the internet .

Wrong.

I found myself on their list, and without being logged in in any way, I am able to see the name, email, physical address, phone number, and full purchase history of every user on the list. It looks like I can also edit their accounts, though I didn’t try to save any changes. It seems that other admin functions are available too, simply by following the link from google.

For that matter, it seems I have access to edit their product listings, authorized dealer lists, … Hey, looks like someone else has already edited that; they added an entry which is an all-caps profane insult.

Hmm. Looking around further, it seems others have probably noticed too. Check out their news page:

I think it’s safe to say it’s totally broken and they need to fix it ASAP.

Edit: When I checked the news page again, the article asking their admin to fix the admin access was gone. Looks like someone there is probably working on it.

Guess it’s good I couldn’t buy direct from them, ended up buying from their Ebay store.

Message from SolarForce. It would appear that my name no longer comes up.

Dear friend,

Thanks for your email and nice to have a chance to serve you

Deeply apologize for any inconvenience caused and we have already fixed
the problem immediately.

Thanks for notifying us about the problem of able to search your email
and name in google search

WE have immediately contact the server Admin for the bug discover, and
they have immediately fix it just now, you can check the link is not
able to access now

After fixing the bug, you will not able to click the link and access
the admin page

I show my deeply apologize there.

Furthermore, we have also email google to let them delete the search, I
think they get back to us and action upon once they get our mail

WE do the best for all of you and sorry for any inconvenience caused.

Have a nice day and thanks for notifying us once you discover the bug,
thank you from my bottom of my heart

Regards

Jo

Got the same message from them. Emailed them telling them to fix it and it looks like they did. Asking Google to fix/update the search was an extra step.

Someone made a mistake, and they quickly resolved it when informed. Good for them.
Will this stop me from shopping there? No, if they have something I want I’ll still get it.
It will make me reconsider putting my full name on any of these online sellers. Even considering revising all of my online accounts, but not sure I need to go that far yet.

Like you said, they acknowledged the mistake and quickly fixed it. I haven’t bought anything there for a while, but I don’t see why I shouldn’t continue to do so. Their prices and customer service is pretty good.

As for my online information, I guess that is the price we all pay when we do shop online. We hope that these online stores have it in our best interest to make sure our information does not go to those who are not meant to get access to it. It just happens to be, things like this just happens.

Same email here too.

Its always wise if you ask me. Even with CC companies and PayPal there is limited security so a website is bound to have less than ideal security. Any step you can take to minimise risk makes it harder. They dont need your full name anyway, Mr Whatever your last name is should be ample.

I will buy from them again, probably not too long from now, but it was pretty sloppy if you ask me. Especially when you consider the extra access Toykeeper and Helios managed without trying too hard, and without malicious intent.

Breaking news:

Solarforce has changed its sales policy to “pay what you want,” enabling anyone to choose how much to pay for their products.

Try to be nice… SF were probably deceived by a web design company which claimed to be more competent than they really are, and it’s probably going to cost quite a bit to find someone who knows what they’re doing and rebuild it correctly. Competent web developers aren’t cheap.

Aircraft aluminum ..?

I've always wondered ....Is that from old planes ?

Hi everyone,

If you know how to gain access to their admin page, please do NOT post how to do so publicly.

Additionally, please send an email to Solarforce urging them to submit a Google Cache removal request at this URL:
https://support.google.com/websearch/troubleshooter/3111061#ts=2889054,2889060

If anybody else knows how to submit a Google takedown request against a site you don’t own, I’d appreciate a link. I tried to submit a takedown request, but Google’s convoluted “troubleshooter” process just goes in circles and doesn’t allow me to submit requests against a site I don’t administer.

I thought products required a login even before they fixed the member list. :~ Was there another vulnerability or just an extremely weak password? Brute forced it?