Horror Stories Caused By
Lack of Appropriate Testing

Victoria's Secret Customers Exposed

from MSNBC, November 27, 2002

A glitch at the Victoria's Secret Web site allowed customers who purchased items there to view other customers' orders in some cases, MSNBC.com has learned. On Friday morning, part of the site was shut down while company officials investigated. Personal financial information, such as credit card numbers, were not exposed by the glitch, but details of customers' intimate purchases were.

The glitch struck a feature at VictoriasSecret.com that allows customers to check the status of their orders. Before that feature was turned off on Friday, the unique number assigned to each customer was revealed in the Web browser's address Window. A browser could simply change the customer number, and in some cases, pull up another customer's orders.

Officials at Limited Brands Inc., which owns the Victoria's Secret chain, shut down the "order status" feature immediately after receiving a description of the bug from MSNBC.com.

"Customer security is always a primary concern," a company spokesperson said. "We have disabled the function referred to and are currently investigating."

There are some mitigating factors for those who might be worried that their intimate orders were viewed by someone else. The glitch only allowed an Internet voyeur to pull up random orders; there was no way to search by individual name or geographical region. Also, it appeared only some customers' orders could be viewed by altering the customer number in the Web browser's address field, and it wasn't easy for current site customers to stumble onto other customers' numbers.

Customer numbers assigned by the site on Tuesday had 8 digits, while the glitch appeared to apply only to customers who had been assigned 9-digit numbers, and the numbers were not in series. That makes it almost impossible to stumble on exposed records by accident.

But they were easy to find if someone supplied explicit directions, which Jay Sudowski did for MSNBC. Sudowski is Director of Technical Operations for Handy Networks, a Web hosting provider in Colorado.

Starting with customer numbers supplied by Sudowski, MSNBC found large chunks of orders which were viewable; for example, hundreds of orders placed on Nov. 6 could be viewed. And the glitch seemed to cover a sizable amount of time, with some viewable orders dating back as far as June.

Once an appropriate customer number was discovered, a voyeur apparently could view all orders placed by the customer recently. Each order record showed what was purchased, including color and size, price, and the customer's name and address. Other private information, such as credit card numbers, couldn't be viewed, however, anyone attempting to view those was confronted with a user name and password request.

The company didn't immediately know why some orders were revealed while others weren't, according to the spokesperson, who said the order status feature wouldn't be turned on again until the problem was fixed. A message currently on the site instructs customers to call the firm's 800 telephone number to learn the status of their orders.

[Comment from Doug Anderson: this is likely to be a "backdoor", a secret means by which a programmer can inspect transactions, and it should have been turned off when the program was put into production.]