It started with me Googling my own name. Yeah, I had a few minutes to spare this morning. I have a pretty unique first name and surname, so, usually, there isn’t that many hits that show up on Google or it has been the same/usual suspects (ie. Facebook and my LinkedIn account).
Any way… to my surprise, lo and behold, I find my solarforceflashlight-sales account pop up. It only shows my real name and my email address, along with everyone else who has made an online account with them. No you cannot access any other information but name and email address, but, someone who is more knowledgeable than myself, probably could find a backdoor into there if they tried.
I’ll shoot them an email to let them know of their security lapse. This is just an FYI for members here who might consider making some changes to their online account with them if they don’t want people to know their real name or email address.
Sure enough, Google your name and add solarforce and the first hit is a list with all the name and emails, such carelessness deserves none of my cash. |(
Sent them an email, probably PayPal and visa should look into it too since someone more tech savvy might access some other parts like purchase history and payment info, maybe we should notify the other forums about it.
Lets see how long it takes for them to fix it.
I have emailed them with a link to this thread. Lets see if we get a response.
|( A least they responded quickly, allthough the error is very serious.
Pardon my tone of language on deleted post.
Notified PayPal about it too
Well that sucks.
Edit: Found myself, and a couple of others I know by name. Gonna see if I can delete my account now…
Edit2: Couldn’t delete, so changed my name to initials. (tip: log out and back in to confirm the change).
Edit3: I recommend everyone do this to ensure their real name stops being crawled in association with their PP account email.
I did a check like that before too with my first name + surname and then with my surname.
My surname is a common one in the muslim world so nothing gets related to me. With my complete name, I was finding it a bit disturbing that my every likes and talk in public groups in facebook was being available on google. So I just changed my real name to a pseudo name on facebook. Problem solved.
I stopped buying from IOS after its security blunder. I will stop buying from SF Sales now as well.
Leaving the customer list visible like that is a massive snafu. SMH.
Its an Admin page of some kind. Sadly changing your details doesnt seem to work, not immediately at least. I tried it a couple of hours ago, cleared my cache, still comes up with my original reg name. Might work eventually though so its still worth trying it.
Lucky for me, I never use my full name anyway.
I'm thinking the admin forgot to tell Google not to cache the page, so Google has cached a page meant to be accessible only by admin rights.
Its accessible directly from solarforceflashlight-sales.com. Its not just a google cache copy.
Seems to be fixed.
~ edit ~
(link deleted) Might still be vulnerable.
Still coming up on Google though
Its going to come up on google until they crawl solarforceflashlight-sales.com again.
They have about 564*15 = 8460 buyers
Don't spread the word...let them solve this asap before more people can "use" this..
Please dont post on other forums yet.
I hate to make accounts with these stupid vendors .I just pay with paypal and avoid their silly promotions ,points etc . the fact they ask for your phone number is just retarded .i've never given the correct number yet ... Welcome to the internet .