Home U.S. Coin Forum

Embarassing Heritage site glitch

robertprrobertpr Posts: 6,862 ✭✭✭
in U.S. Coin Forum
Firstly, I empty my browser cache, cookies, and history after every session to keep things tidy. Secondly, I use the Netscape browser. Thirdly, I do not have an account at heritage.com.

What am I talking about, you ask? Well, I went to the heritage site, and at the top of the screen it said "sign out". Well, I didn't think much of it because some sites just have that plastered at the top whether you're signed in or not. I was going to inquire about consigning to them, and went to their "brief form". I got to it and it was already filled out, with SOMEONE ELSE'S PERSONAL INFORMATION imageimage No social security number or anything like that, but a name, email address full street address, and a phone number! (it was rainbow*@hotmail.com, I won't put the full email address here. But in case someone would like to attempt to duplicate...) So I clicked the sign out button, went back, and the form was empty. I then clicked a link to the main page, and it said "sign out" again, so I go back to the consignment form, and the info is filled out again!!! Has this happened to anyone else? Do I *really* want to consign to them or even use their website?????

imageimageimageimageimageimageimageimage

Comments

  • dbldie55dbldie55 Posts: 7,731 ✭✭✭✭✭
    You had clicked on a link that someone left their SID in. Heritage is aware of this. These should expire. You could not do any damage as you would need the password to do any bidding under the id.
    Collector and Researcher of Liberty Head Nickels. ANA LM-6053
  • robertprrobertpr Posts: 6,862 ✭✭✭
    Well heck if I became aware of something like that I'd have my programmers working round the clock to fix it! Is that costing them business? YES!
  • beepbeep Posts: 968
    I hope heritage will take care of their security lapse. This needs further investigation.
  • itsnotjustmeitsnotjustme Posts: 8,777 ✭✭✭
    It's not just a Heritage lapse... it's user's too. I've seen this a dozen times now. Someone is logged into the Heritage Site, they want to link to something, and they copy/paste the link from their browser window, which includes the SID (encrypted password embedded). WHile you can't bid you could do harm... you can see that person's bids on current auctions. This info could be used in pushing them to their max bid, or to snipe and outbid them at the last moment.

    When ever I see this, I PM the user, and advise them to change their password at Heritage. User's could also logout before leaving the Heritage site.
    Give Blood (Red Bags) & Platelets (Yellow Bags)!
  • BladeBlade Posts: 1,744
    Brian let me know about this after a post and I was floored. I work in the computer industry and that is one of the biggest security breaches I have seen. Ridiculous.
    Tom

    NOTE: No trees were killed in the sending of this message. However, a large number of electrons were terribly inconvenienced.

    Type collector since 1981
    Current focus 1855 date type set
  • airplanenutairplanenut Posts: 22,148 ✭✭✭✭✭
    so that is why when looking at the site (I'm too young to register) there are random usernames in the bid box...
    JK Coin Photography - eBay Consignments | High Quality Photos | LOW Prices | 20% of Consignment Proceeds Go to Pancreatic Cancer Research
  • nwcsnwcs Posts: 13,386 ✭✭✭
    Yeah, stuff like this should be addressed more carefully by the programmers. I'm quite the security conscious programmer so I've done a lot of work on my company's sites to protect against things like this.

    But itsnotjustme is also correct that many of these problems are aided and abetted by users who do not follow best practices or read the instructions.
    Blog and Pics

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Format
SpoilerCodeQuote
Heading 2Heading 1
Emoji
:):D:(;):/:o:s:p:'(:|B):#:*<3o:)>:)
Url
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file
Home U.S. Coin ForumComment As ...