Fenix Store Security Issue! Please Read.

So I'm googling for an L0D Q4 to determine if the snowflake and bell are actually on the light or not, and I get to Fenix Store's site...and I see an "order history" and a shopping cart with the L0D in it. Huh? Also I see a Mr. Edited's personal info, including address...and just to figure out the nature of this problem, I went to checkout. All the info was already there.

This guy lives somewhere in (edited). And I am in North Carolina. If I were dishonest, I could change his address to mine and use his billing info. So, since I'm not, I'm going to leave his info up to see if I can help Fenix Store resolve the problem...however, if you're Mr. ________, please know I will not misuse your info in any way. He used the CPF8 code, so I assume he is a member here. Bizarre.

Someone from Fenix Store care to respond, or anyone care to point me in the right direction to get up with them??

Best be sending a quick PM to 4sevens.

I just fixed it. I'm having the store use cookies now instead of session id's.
Sorry about that. But now anyone who was to order stuff has to have cookies
enabled. No biggie, but we went with session id's because a small group of
people were complaining about cookies.

conwict, if you don't mind please edit out private info such as names and state.

No problem 4sevens, done.

What I don't get is how I got all that stuff on the guy. I've never ordered from you or anything.

And hopefully this post was helpful. I don't mean to be alarming anyone or anything.

So what exactly happened witht he cookies?

I saw this yesterday too, was gona PM 7777 but got distracted and forgot about it. It works okay now.

But I don't think billing info was stored, so all you can find out is the guy's name and address.

yep. we never ever store payment info. all that is handled through paypal
whether you have a paypal account or not. we don't handle cc numbers
for a good reason

This seems to happen, my first experience with the Sandwich Shoppe years ago had a similar thing happen, but it all got fixed immediately. Glad to see no one took advantage of the situation.

4sevens said:

we don't handle cc numbers
for a good reason

Click to expand...

Excellent. :thumbsup:

Wow, that is a little scary... I just ordered an L0D Q4 Red this morning, sounds a lot like my order, dunno if it was or not...

But as FourSevens said, not really much you could do...because I know as I processed my order this morning (which did appear to have issues at one point, something about being incomplete even after I finished, then showing up as processing) I was redirected to Paypal (as usual) then had to login with my password for paypal, and choose how to pay...

So worst case, all you would get is my address and name... perhaps email address? Which I don't like people knowing where I live, but not as big of a deal as getting a credit card number or bank account...

Good catch, glad Foursevens was able to fix it so quick.

Sounds a lot like my order though right light, right discount code

Nice job all, these things happen and it's nice to see quick/good responses, I think 4sevens was a minuteman in a past life!

Dantor said:

Nice job all, these things happen and it's nice to see quick/good responses, I think 4sevens was a minuteman in a past life!

Click to expand...

Huh? Didn't get that reference. Would you please explain it to me. Curious.Only time I've read about minutemen before is in the comic "100 bullets".

And you've got to love the irony that the fellow that started the thread and kindly reported the error has the handle Conwict.

And good job everybody!

Willabbott said:

[...]
Good catch, glad Foursevens was able to fix it so quick.
[...]

Click to expand...

:lolsign: ...

This "security issue" is some months old ... and was already mentioned here on CPF a couple of times ...

Lobo said:

Huh? Didn't get that reference. Would you please explain it to me. Curious.Only time I've read about minutemen before is in the comic "100 bullets".

Click to expand...

Minutemen are commonly regarded as revolutionary war militia, that when called upon would be ready in a "minute", or at a moment's notice. They were highly trained and well seasoned, dutied to protect their town and lands.

Here's a link to more information.
http://www.ushistory.org/people/minutemen.htm

rantanplan said:

:lolsign: ...

This "security issue" is some months old ... and was already mentioned here on CPF a couple of times ...

Click to expand...

Look, a server randomly vomiting data IS a security issue. I don't know how old it is or the details, or heck, how it even happens. But I do know that I would do something about it if I were the owner of FS.

Anyone who thinks that a name, address, and order history doesn't open the door on dishonesty is naive. If you're okay with your name, address, and other personal info being belched into random website visitors' browsers, that's fine; I'm not.

conwict said:

Look, a server randomly vomiting data IS a security issue. I don't know how old it is or the details, or heck, how it even happens. But I do know that I would do something about it if I were the owner of FS.

Anyone who thinks that a name, address, and order history doesn't open the door on dishonesty is naive. If you're okay with your name, address, and other personal info being belched into random website visitors' browsers, that's fine; I'm not.

Click to expand...

maybe i'm asking for trouble by chiming in here. really, only want to help you, conwict.

conwict, please note that the individual to whom you are replying has edited his Post.

i read it before it was edited. as it stands now, it appears to be "flaming" you. in reality, my interpretation of it as it read before the edit, it appeared to be "flaming" 4sevens. i won't mention what the now deleted portion said (i still have a pretty clear recollection of it).

i think, but i could be wrong, that it was intended to be laughing at the situation and not at you.

in fact, if i understood the unedited Post correctly (and maybe i didn't??? who knows, i'm not the brightest bulb of the bunch), i was wondering when someone like Empath, for example, was gonna' either privately via PM, or publicly provide some gentle persuasion to edit the Post or move it to the Jeers section. please take this "wondering" of mine with a grain of salt, b/c as i said, it was my, perhaps faulty, interpretation of the unedited Post.

hope this helps. if i've only fueled any bad feelings you may have due to that other Post, please accept my sincere apologies. i truly did not mean to add to them. feel free to either publicly or privately, via PM, set me straight if you feel that i should not have attempted to clear up what i perceived to be a misunderstanding caused by the edited Post of that other individual. don't worry, you won't offend me in the least if you let me have it ("Shields Up!!!")

half-watt said:

maybe i'm asking for trouble by chiming in here. really, only want to help you, conwict.

conwict, please note that the individual to whom you are replying has edited his Post.

i read it before it was edited. as it stands now, it appears to be "flaming" you. in reality, my interpretation of it as it read before the edit, it appeared to be "flaming" 4sevens. i won't mention what the now deleted portion said (i still have a pretty clear recollection of it).

i think, but i could be wrong, that it was intended to be laughing at the situation and not at you.

in fact, if i understood the unedited Post correctly (and maybe i didn't??? who knows, i'm not the brightest bulb of the bunch), i was wondering when someone like Empath, for example, was gonna' either privately via PM, or publicly provide some gentle persuasion to edit the Post or move it to the Jeers section. please take this "wondering" of mine with a grain of salt, b/c as i said, it was my, perhaps faulty, interpretation of the unedited Post.

hope this helps. if i've only fueled any bad feelings you may have due to that other Post, please accept my sincere apologies. i truly did not mean to add to them. feel free to either publicly or privately, via PM, set me straight if you feel that i should not have attempted to clear up what i perceived to be a misunderstanding caused by the edited Post of that other individual. don't worry, you won't offend me in the least if you let me have it ("Shields Up!!!")

Click to expand...

No, it's perfectly fine to state your mind, and I don't even really have much stake in this whole matter.

I don't know if I'd say that the person I replied to was flaming me, but it was a bit odd--he seemed to imply that it was a small matter. I disagreed...possibly in a snarky way. All too easy to do on an internet forum.

Anyway, don't think I'm upset. I just made the thread to help out 4sevens, or whoever operates fenix-store.com. It's up to him what to do.

Have a good one.

rantanplan said:

:lolsign: ...

This "security issue" is some months old ... and was already mentioned here on CPF a couple of times ...

Click to expand...

I've heard this exact same thing twice before over the past 4 -6 months. Hopefully it's a done deal this time.

conwict said:

...however, if you're...

Click to expand...

I think you missed one near the end, editing out the guy's info.

Yaaaah,
When I link to the Fenix store, I no longer have to delete "&custID=1234567890abcdefghijklmnopqrstuvwayz" any more.

Got it. Thanks NA8.

Anyway I found it kinda bizarre but I'm gonna sign off on this thread.