Home |
Search |
Today's Posts |
|
Metalworking (rec.crafts.metalworking) Discuss various aspects of working with metal, such as machining, welding, metal joining, screwing, casting, hardening/tempering, blacksmithing/forging, spinning and hammer work, sheet metal work. |
Reply |
|
LinkBack | Thread Tools | Display Modes |
#1
Posted to rec.crafts.metalworking
|
|||
|
|||
New Harbor Freight website has MAJOR security hole!!!
DO NOT USE IT!!!!
I went there and looked it over. Yes it's slow. They have a notice that if you had an account prior to the 19 you need to sign up for a new one. I clicked the account button to create a new account. Instead of getting any type of account log in or sign-up page I was sent to the account of a person who lives in the 914 area of NY. It listed the name,address,phone numbers and recent orders for this person. Thinking this was a glitch I tried to exit and reload the page. It brought up a new page with the account information of a person in Wisconsin! I closed down the browser, flushed the memory and went back to the site to see if I could get in. Went to the same "secure" section of the site and tried the account button again. It took me to yet another members account information! I just sent the customer service an E-mail about it but don't know if they will take action. -- Steve W. (\___/) (='.'=) (")_(") |
#2
Posted to rec.crafts.metalworking
|
|||
|
|||
New Harbor Freight website has MAJOR security hole!!!
"Steve W." wrote in message
... DO NOT USE IT!!!! I went there and looked it over. Yes it's slow. They have a notice that if you had an account prior to the 19 you need to sign up for a new one. I clicked the account button to create a new account. Instead of getting any type of account log in or sign-up page I was sent to the account of a person who lives in the 914 area of NY. It listed the name,address,phone numbers and recent orders for this person. Thinking this was a glitch I tried to exit and reload the page. It brought up a new page with the account information of a person in Wisconsin! I closed down the browser, flushed the memory and went back to the site to see if I could get in. Went to the same "secure" section of the site and tried the account button again. It took me to yet another members account information! I just sent the customer service an E-mail about it but don't know if they will take action. They will I am sure. It's a nice looking website. More clean and professional rather than industrial looking. The search function works better. Now if they would just add all the service and repair parts from the master catalog. That was the main thing I found lacking in the old cart system. They had never done all the data entry for all the repair and service parts. You could search by item number if you knew it, but if you didn't it was impossible to find via the site. Some folks may not like the clean and professional look now. The old cart system had that rough oily feel of actually being in a Harbor Freight store. You could almost smell the machine oil and the cosmoline. I kinda liked that. Then I think a shop that doesn't smell of oil, old varnishes, and spilled paint just isn't a shop. |
#3
Posted to rec.crafts.metalworking
|
|||
|
|||
New Harbor Freight website has MAJOR security hole!!!
On 2010-04-30, Bob La Londe wrote:
Some folks may not like the clean and professional look now. The old cart system had that rough oily feel of actually being in a Harbor Freight store. You could almost smell the machine oil and the cosmoline. I kinda liked that. Then I think a shop that doesn't smell of oil, old varnishes, and spilled paint just isn't a shop. I am OK with either look, but I realized there is one more problem: the old system let me keep my stuff in the shopping cart for weeks. So I would just put stuff in it for a while and then place an order. The new system empties the cart very quickly. This is EXTREMELY STUPID. McMaster Carr also lets me keep a shopping cart almost forever. This is the way it should work. i |
#4
Posted to rec.crafts.metalworking
|
|||
|
|||
New Harbor Freight website has MAJOR security hole!!!
"Ignoramus9191" wrote in message
... On 2010-04-30, Bob La Londe wrote: Some folks may not like the clean and professional look now. The old cart system had that rough oily feel of actually being in a Harbor Freight store. You could almost smell the machine oil and the cosmoline. I kinda liked that. Then I think a shop that doesn't smell of oil, old varnishes, and spilled paint just isn't a shop. I am OK with either look, but I realized there is one more problem: the old system let me keep my stuff in the shopping cart for weeks. So I would just put stuff in it for a while and then place an order. The new system empties the cart very quickly. This is EXTREMELY STUPID. McMaster Carr also lets me keep a shopping cart almost forever. This is the way it should work. That could be related to the other issue. If its loosing track of your cookies and thinking you are somebody else its not going to show what is in your shopping cart properly either. |
#5
Posted to rec.crafts.metalworking
|
|||
|
|||
New Harbor Freight website has MAJOR security hole!!!
I can't GARDEN TOOLS, LAWN EQUPIMENT stand the pop up
windHAND TOOLSows that interfere any time AIR TOOLS that I try and mouse to CLEARANCE CLOSE OUTS something. -- Christopher A. Young Learn more about Jesus www.lds.org .. "Bob La Londe" wrote in message ... Some folks may not like the clean and professional look now. The old cart system had that rough oily feel of actually being in a Harbor Freight store. You could almost smell the machine oil and the cosmoline. I kinda liked that. Then I think a shop that doesn't smell of oil, old varnishes, and spilled paint just isn't a shop. |
#6
Posted to rec.crafts.metalworking
|
|||
|
|||
New Harbor Freight website has MAJOR security hole!!!
On 2010-04-30, Bob La Londe wrote:
"Ignoramus9191" wrote in message ... On 2010-04-30, Bob La Londe wrote: Some folks may not like the clean and professional look now. The old cart system had that rough oily feel of actually being in a Harbor Freight store. You could almost smell the machine oil and the cosmoline. I kinda liked that. Then I think a shop that doesn't smell of oil, old varnishes, and spilled paint just isn't a shop. I am OK with either look, but I realized there is one more problem: the old system let me keep my stuff in the shopping cart for weeks. So I would just put stuff in it for a while and then place an order. The new system empties the cart very quickly. This is EXTREMELY STUPID. McMaster Carr also lets me keep a shopping cart almost forever. This is the way it should work. That could be related to the other issue. If its loosing track of your cookies and thinking you are somebody else its not going to show what is in your shopping cart properly either. I think that you got it perfectly right. i |
#7
Posted to rec.crafts.metalworking
|
|||
|
|||
New Harbor Freight website has MAJOR security hole!!!
Bob La Londe wrote:
"Steve W." wrote in message ... DO NOT USE IT!!!! I went there and looked it over. Yes it's slow. They have a notice that if you had an account prior to the 19 you need to sign up for a new one. I clicked the account button to create a new account. Instead of getting any type of account log in or sign-up page I was sent to the account of a person who lives in the 914 area of NY. It listed the name,address,phone numbers and recent orders for this person. Thinking this was a glitch I tried to exit and reload the page. It brought up a new page with the account information of a person in Wisconsin! I closed down the browser, flushed the memory and went back to the site to see if I could get in. Went to the same "secure" section of the site and tried the account button again. It took me to yet another members account information! I just sent the customer service an E-mail about it but don't know if they will take action. They will I am sure. It's a nice looking website. More clean and professional rather than industrial looking. The search function works better. Now if they would just add all the service and repair parts from the master catalog. That was the main thing I found lacking in the old cart system. They had never done all the data entry for all the repair and service parts. You could search by item number if you knew it, but if you didn't it was impossible to find via the site. Some folks may not like the clean and professional look now. The old cart system had that rough oily feel of actually being in a Harbor Freight store. You could almost smell the machine oil and the cosmoline. I kinda liked that. Then I think a shop that doesn't smell of oil, old varnishes, and spilled paint just isn't a shop. Got an Email reply from them. Seems that they tested the site and found the same thing I did. The message said they were putting the site on maintainance mode to test it more. Haven't tried it again but last night I could pull up random names just about every time. -- Steve W. |
#8
Posted to rec.crafts.metalworking
|
|||
|
|||
New Harbor Freight website has MAJOR security hole!!!
On 2010-04-30, Steve W. wrote:
Bob La Londe wrote: "Steve W." wrote in message ... DO NOT USE IT!!!! I went there and looked it over. Yes it's slow. They have a notice that if you had an account prior to the 19 you need to sign up for a new one. I clicked the account button to create a new account. Instead of getting any type of account log in or sign-up page I was sent to the account of a person who lives in the 914 area of NY. It listed the name,address,phone numbers and recent orders for this person. Thinking this was a glitch I tried to exit and reload the page. It brought up a new page with the account information of a person in Wisconsin! I closed down the browser, flushed the memory and went back to the site to see if I could get in. Went to the same "secure" section of the site and tried the account button again. It took me to yet another members account information! I just sent the customer service an E-mail about it but don't know if they will take action. They will I am sure. It's a nice looking website. More clean and professional rather than industrial looking. The search function works better. Now if they would just add all the service and repair parts from the master catalog. That was the main thing I found lacking in the old cart system. They had never done all the data entry for all the repair and service parts. You could search by item number if you knew it, but if you didn't it was impossible to find via the site. Some folks may not like the clean and professional look now. The old cart system had that rough oily feel of actually being in a Harbor Freight store. You could almost smell the machine oil and the cosmoline. I kinda liked that. Then I think a shop that doesn't smell of oil, old varnishes, and spilled paint just isn't a shop. Got an Email reply from them. Seems that they tested the site and found the same thing I did. The message said they were putting the site on maintainance mode to test it more. Haven't tried it again but last night I could pull up random names just about every time. I think that what happens is that they give everyone the same cookie (one cookie value given to everyone). i |
#9
Posted to rec.crafts.metalworking
|
|||
|
|||
New Harbor Freight website has MAJOR security hole!!!
"Ignoramus9191" wrote in message ... Got an Email reply from them. Seems that they tested the site and found the same thing I did. The message said they were putting the site on maintainance mode to test it more. Haven't tried it again but last night I could pull up random names just about every time. I think that what happens is that they give everyone the same cookie (one cookie value given to everyone). i I wonder then if that was the case, if one could then deliberately fool the system by generating your own cookies and thus harvesting personal information deliberately? -- Roger Shoaf About the time I had mastered getting the toothpaste back in the tube, then they come up with this striped stuff. |
#10
Posted to rec.crafts.metalworking
|
|||
|
|||
New Harbor Freight website has MAJOR security hole!!!
On 2010-04-30, Roger Shoaf wrote:
"Ignoramus9191" wrote in message ... Got an Email reply from them. Seems that they tested the site and found the same thing I did. The message said they were putting the site on maintainance mode to test it more. Haven't tried it again but last night I could pull up random names just about every time. I think that what happens is that they give everyone the same cookie (one cookie value given to everyone). i I wonder then if that was the case, if one could then deliberately fool the system by generating your own cookies and thus harvesting personal information deliberately? On decent websites, cookies are hard to guess. My site algebra.com gives cookies like this: Set-Cookie: algebra_session=99c16b978354929m73a48ag2e1d7a850; path=/; expires=Mon, 05-Jul-2010 21:21:30 GMT (cookie slightly altered but looks same as the original). It is not easy to guess someone else's cookie. i |
#11
Posted to rec.crafts.metalworking
|
|||
|
|||
New Harbor Freight website has MAJOR security hole!!!
"Ignoramus9191" wrote in message news On 2010-04-30, Roger Shoaf wrote: "Ignoramus9191" wrote in message ... Got an Email reply from them. Seems that they tested the site and found the same thing I did. The message said they were putting the site on maintainance mode to test it more. Haven't tried it again but last night I could pull up random names just about every time. I think that what happens is that they give everyone the same cookie (one cookie value given to everyone). i I wonder then if that was the case, if one could then deliberately fool the system by generating your own cookies and thus harvesting personal information deliberately? On decent websites, cookies are hard to guess. My site algebra.com gives cookies like this: Set-Cookie: algebra_session=99c16b978354929m73a48ag2e1d7a850; path=/; expires=Mon, 05-Jul-2010 21:21:30 GMT (cookie slightly altered but looks same as the original). It is not easy to guess someone else's cookie. Do the cookies progress randomly or could one deduce the progression or regression from a limited sample? It would seem to me that if the cookie generation was not given a lot of thought, then on commercial sites, one might have the ability to sneak in and poke around. -- Roger Shoaf About the time I had mastered getting the toothpaste back in the tube, then they come up with this striped stuff. |
#12
Posted to rec.crafts.metalworking
|
|||
|
|||
New Harbor Freight website has MAJOR security hole!!!
Ignoramus9191 wrote:
Got an Email reply from them. Seems that they tested the site and found the same thing I did. The message said they were putting the site on maintainance mode to test it more. Haven't tried it again but last night I could pull up random names just about every time. I think that what happens is that they give everyone the same cookie (one cookie value given to everyone). i I pulled the ones I had and all were different. I had saved them in a file in case they didn't believe it. Deleted it when I called and found they were working on it. Talked to a human about it and was told that soon after my message came in they received more asking the same questions. I'm sort of surprised others didn't catch it first. Should have asked for a unlimited gift card.... Anyway she said they were pulling the site until they could figure out the problem. -- Steve W. (\___/) (='.'=) (")_(") |
#13
Posted to rec.crafts.metalworking
|
|||
|
|||
New Harbor Freight website has MAJOR security hole!!!
On Fri, 30 Apr 2010 18:20:26 -0400, "Steve W." wrote:
I pulled the ones I had and all were different. I had saved them in a file in case they didn't believe it. Deleted it when I called and found they were working on it. Talked to a human about it and was told that soon after my message came in they received more asking the same questions. I'm sort of surprised others didn't catch it first. It's always a bit scary when you realise that you're the first person to report a bug! BTDT Mark Rand RTFM |
#14
Posted to rec.crafts.metalworking
|
|||
|
|||
New Harbor Freight website has MAJOR security hole!!!
On 2010-04-30, Roger Shoaf wrote:
"Ignoramus9191" wrote in message news [ ... ] On decent websites, cookies are hard to guess. My site algebra.com gives cookies like this: Set-Cookie: algebra_session=99c16b978354929m73a48ag2e1d7a850; path=/; expires=Mon, 05-Jul-2010 21:21:30 GMT (cookie slightly altered but looks same as the original). It is not easy to guess someone else's cookie. Do the cookies progress randomly or could one deduce the progression or regression from a limited sample? It would seem to me that if the cookie generation was not given a lot of thought, then on commercial sites, one might have the ability to sneak in and poke around. If I were generating cookies which could be used to access personal information, I would probably start with the process ID and the unix raw date, with the digits interleaved by some pattern, and then run a MD5 checksum on it to generate the actual cookie numbers. Depending on how serious the stored data was, I would probably toss another few randomizers into the game. Enjoy, DoN. -- Email: | Voice (all times): (703) 938-4564 (too) near Washington D.C. | http://www.d-and-d.com/dnichols/DoN.html --- Black Holes are where God is dividing by zero --- |
#15
Posted to rec.crafts.metalworking
|
|||
|
|||
New Harbor Freight website has MAJOR security hole!!!
On Fri, 30 Apr 2010 08:32:44 -0700, "Bob La Londe"
wrote: "Steve W." wrote in message ... DO NOT USE IT!!!! I went there and looked it over. Yes it's slow. They have a notice that if you had an account prior to the 19 you need to sign up for a new one. I clicked the account button to create a new account. Instead of getting any type of account log in or sign-up page I was sent to the account of a person who lives in the 914 area of NY. It listed the name,address,phone numbers and recent orders for this person. Thinking this was a glitch I tried to exit and reload the page. It brought up a new page with the account information of a person in Wisconsin! I closed down the browser, flushed the memory and went back to the site to see if I could get in. Went to the same "secure" section of the site and tried the account button again. It took me to yet another members account information! I just sent the customer service an E-mail about it but don't know if they will take action. They will I am sure. It's a nice looking website. More clean and professional rather than industrial looking. The search function works better. Now if they would just add all the service and repair parts from the master catalog. That was the main thing I found lacking in the old cart system. They had never done all the data entry for all the repair and service parts. You could search by item number if you knew it, but if you didn't it was impossible to find via the site. Some folks may not like the clean and professional look now. The old cart system had that rough oily feel of actually being in a Harbor Freight store. You could almost smell the machine oil and the cosmoline. I kinda liked that. Then I think a shop that doesn't smell of oil, old varnishes, and spilled paint just isn't a shop. Actually...I agree 100% with you. Gunner "First Law of Leftist Debate The more you present a leftist with factual evidence that is counter to his preconceived world view and the more difficult it becomes for him to refute it without losing face the chance of him calling you a racist, bigot, homophobe approaches infinity. This is despite the thread you are in having not mentioned race or sexual preference in any way that is relevant to the subject." Grey Ghost |
#16
Posted to rec.crafts.metalworking
|
|||
|
|||
New Harbor Freight website has MAJOR security hole!!!
"DoN. Nichols" wrote in message ... If I were generating cookies which could be used to access personal information, I would probably start with the process ID and the unix raw date, with the digits interleaved by some pattern, and then run a MD5 checksum on it to generate the actual cookie numbers. Depending on how serious the stored data was, I would probably toss another few randomizers into the game. Seems to me (and I am no expert), that the ability to access personal info should be blocked from cookie access. To get to that data you should have to log in with password and ID. To do it otherwise seems to me to invite trouble -- Roger Shoaf About the time I had mastered getting the toothpaste back in the tube, then they come up with this striped stuff. |
#17
Posted to rec.crafts.metalworking
|
|||
|
|||
New Harbor Freight website has MAJOR security hole!!!
On 2010-05-01, Roger Shoaf wrote:
"DoN. Nichols" wrote in message ... If I were generating cookies which could be used to access personal information, I would probably start with the process ID and the unix raw date, with the digits interleaved by some pattern, and then run a MD5 checksum on it to generate the actual cookie numbers. Depending on how serious the stored data was, I would probably toss another few randomizers into the game. Seems to me (and I am no expert), that the ability to access personal info should be blocked from cookie access. To get to that data you should have to log in with password and ID. To do it otherwise seems to me to invite trouble Yes -- but some systems *remember* that you have logged in based on cookies set for the session time only. HTTP is a "stateless" protocol, so it can't remember that you are logged in without some kind of help. Better would be double-key encryption both ways of course. Enjoy, DoN. -- Email: | Voice (all times): (703) 938-4564 (too) near Washington D.C. | http://www.d-and-d.com/dnichols/DoN.html --- Black Holes are where God is dividing by zero --- |
Reply |
Thread Tools | Search this Thread |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Forum | |||
Harbor Freight website redesigned | Metalworking | |||
Off to Harbor Freight | Woodworking | |||
Harbor Freight DMM | Home Repair | |||
Harbor Freight | Home Repair | |||
More on Harbor Freight DC | Woodworking |