Announcement

Collapse
No announcement yet.

Customer details being overwritten by other customers details on their PC!

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    Customer details being overwritten by other customers details on their PC!

    Hi,

    I hope you can help as we seem to have a massive security problem.

    Customers are complaining that they are getting other customers details in the checkout on their PC. These are completely unrelated to the customer but people who have placed orders previously. The issue seems to happening when the customer starts checkout and then abandons it to change the content of the cart. Once they go back into the checkout they find completed details for someone else. We have 5 confirmed cases in the last month. They each supplied us with the correct complete details for customers they could not know. Including on one occasion myself!

    If a customer shares their experience on social media it would effectively kill our business. We are very concerned this is happening very many more times than we are being told about. Currently our orders are down by about 50%.

    I have raised with SellerDeck but they tell me it is impossible and cant be happening. I don't know what to do?

    Any advice or help would be gratefully received.

    Many thanks

    Tony
    Tony
    www.secretgardenquilting.co.uk

    #2
    Very strange, I've never heard of anything like this before. Firstly I would change your own FTP passwords as a safeguard, then perhaps a wipe out online and refresh of the site might be worth considering (But be very careful though that there's nothing else online you may need that's not going to get uploaded again by SD)

    Comment


      #3
      Just clicked the link in your signature and Virgin has blocked it. Have you been hacked or is it an adult web site?
      =======================================
      Cater For You Ltd

      Comment


        #4
        Not had/heard of this problem... I got onto your site, and could not get other customers details (tried the popular browsers) - seems to work okay on my end.

        Was this after an update? or just out of the blue?

        =================================

        I did have a problem with customer's shipping price was being calculated incorrectly and Sellerdeck support advised:

        It is possible that if the order is stopped at this point in the initial order, and the 'Remember Me' option is selected, then this option will be displayed initially as the payment option, until the session expires.

        It may be prudent to temporarily disable this option and monitor if it re-occurs. To do this go to 'Design | Text' and click the 'Go to' button and enter a 'Phase' of 0 and an 'ID' of 17 and remove the tick from 'Show' and click 'OK' and upload the site.
        I haven't had that problem since, maybe give that a go.
        but now I do have on a few occasions customers complaining our site does not "remember" them...

        Comment


          #5
          Hi All

          Thank you. I am very worried about the Virgin block. Our website is quilting fabric. No adult material. The link is: https://www.secretgardenquilting.co.uk/

          We are on BT so I cant check Virgin. I would appreciate anyone who is on Virgin just checking it.

          We are on 16.05 and have made no changes for at least 9 months. The problem has been reported by customers over the last 2 months.

          Many thanks

          Tony

          Tony
          www.secretgardenquilting.co.uk

          Comment


            #6
            Hi Tony, I've just sent you an email on this. Let me know if you don't get it.

            Mike
            -----------------------------------------

            First Tackle - Fly Fishing and Game Angling

            -----------------------------------------

            Comment


              #7
              Hi Mike. Thank you so much. I have just replied and did have a couple of questions. Many thanks Tony
              Tony
              www.secretgardenquilting.co.uk

              Comment


                #8
                Hi All.

                Sellerdeck support have been very responsive on this issue.I understand (from Ian Bigg) they will be posting on this link to explain the issue and what people need to do to prevent it happening on their sites.

                Given the sensitivity I do not want to mis-represent anything and so think it is best that Sellerdeck explain.

                Many thanks for everyones help.
                Tony
                www.secretgardenquilting.co.uk

                Comment


                  #9
                  As I've been instrumental in solving the problem for this site, and as Bruce is away at the moment, I'll respond.

                  We have not had any previous reports of a problem like this. The consequences are extremely serious, which is why I got involved to diagnose the issue.

                  It's due to custom code in the site.

                  The site had implemented a change suggested in the thread from 2010 at https://community.sellerdeck.com/for...-cart-contents. These changes remember the state of the cart during checkout (hidden or shown).

                  If you read on you will find this message, which is the same problem reported by Tony:
                  Originally posted by Darren B View Post
                  It seems that the first time checking out it cleared the basket, the second time it picked up other details and the wrong addresses, as they were different to the ones entered. I have a feeling this is the cookie thing. somehow it picked up my previous address details when testing instead of the new details when someone else was testing?
                  The customisation adds a cookie called ACTINIC_CARTVIZ with content "show" or "hide". This causes a conflict with the Perl script which finds the ACTINIC_CART cookie. The result is that if the cart is shown or hidden during checkout, the online session file (which contains cart contents etc) is called "show" or "hide". It's likely that other shoppers will share the same session file.

                  We will prevent this conflict in the next maintenance release for version 18 (18.0.3).

                  To check if your site has this problem, search in your library code for the text ACTINIC_CARTVIZ. If it's not there then no further changes are needed.

                  If it is there, then a simple change to Actinic.pm will prevent the problem. However, an additional change is required to discard any existing ACTINIC_CART cookie with value of "hide" or "show". Please contact support for assistance, as changes will be specific to your version. As an immediate fix, simply changing the cookie name so that it does not start with ACTINIC_CART (eg. SELLERDECK_CARTVIZ) will prevent the problem occurring. Replace all instances in your layouts.

                  Since at least version 16 there has been an inbuilt feature to hide or show the cart during checkout, and to remember that preference. Therefore the customisation is no longer required.
                  Last edited by Hugh Gibson; 21-Jul-2018, 03:43 PM.
                  Hugh Gibson
                  CTO - Sellerdeck, part of ClearCourse

                  Comment


                    #10
                    Hi Hugh,

                    Thank you for responding.

                    I was contacted by another sellerdeck user who has experienced the problem today. I know he talked to Darren at Sellerdeck to get the fix earlier.

                    I wanted to clarify that I certainly never implemented the change you are suggesting on your link to the other post.

                    I have not knowingly customised this area of sellerdeck and I have checked personally (and sent Sellerdeck) all the code changes we have made. I could not find this "customisation" or reference to ACTINIC_CARTVIZ in any of them. Additionally we personally do not like the sellerdeck hide/show cart so certainly would not have purposefully added it.

                    I understand the issue has been present in sellerdeck for a number of versions. It seems very odd that the issue is only surfacing now. Please could you give some insight into why this might be case.

                    As you point out the consequences are extremely serious so it is in everyones interest to fully resolve ASAP.

                    Many thanks
                    Tony
                    www.secretgardenquilting.co.uk

                    Comment


                      #11
                      Tony, I have checked uniform-direct.com and they have the same customisation. Dean should be able to sort him out.

                      I wanted to clarify that I certainly never implemented the change you are suggesting on your link to the other post.
                      I've looked in your site again and gone to checkout. This is the code from your page, with the cookie highlighted.

                      Secret Garden Quilting checkout source
                      This is clearly the fragment from the 2010 thread, which up until now has been the only hit on Google for the term ACTINIC_CARTVIZ.

                      I have not knowingly customised this area of sellerdeck and I have checked personally (and sent Sellerdeck) all the code changes we have made. I could not find this "customisation" or reference to ACTINIC_CARTVIZ in any of them. Additionally we personally do not like the sellerdeck hide/show cart so certainly would not have purposefully added it.
                      I checked the files you sent and they are not implicated. The customisation is in the layout Checkout Shopping Cart Grid, not a file. It must have been implemented without your knowledge, perhaps by a designer who worked on your site.

                      I understand the issue has been present in sellerdeck for a number of versions. It seems very odd that the issue is only surfacing now. Please could you give some insight into why this might be case.
                      I have checked the layouts in each version back to version 8, and this cookie is not present. As stated before it is a conflict between the customisation and the Perl scripts, so it will only appear in sites that implement the customisation. The issue does not appear in standard Sellerdeck sites.

                      As you point out the consequences are extremely serious so it is in everyones interest to fully resolve ASAP.
                      Yes. I've agreed with Josh (CEO) that the change to prevent the conflict will be brought forward to 18.0.2, due to be released early next week.

                      As stated before, if you have the customisation in an older version contact support for assistance.
                      Hugh Gibson
                      CTO - Sellerdeck, part of ClearCourse

                      Comment


                        #12
                        Originally posted by tonygg View Post
                        Hi Hugh,

                        Thank you for responding.

                        I was contacted by another sellerdeck user, Sam (from Uniform-direct.com). Who has experienced the problem today. I know he talked to Darren at Sellerdeck to get the fix earlier. I understand from Sam his customer (a police officer) is intending to report the incident as I guess it is a data breach.

                        I wanted to clarify that I certainly never implemented the change you are suggesting on your link to the other post.

                        I have not knowingly customised this area of sellerdeck and I have checked personally (and sent Sellerdeck) all the code changes we have made. I could not find this "customisation" or reference to ACTINIC_CARTVIZ in any of them. Additionally we personally do not like the sellerdeck hide/show cart so certainly would not have purposefully added it.

                        I understand the issue has been present in sellerdeck for a number of versions. It seems very odd that the issue is only surfacing now. Please could you give some insight into why this might be case.

                        As you point out the consequences are extremely serious so it is in everyones interest to fully resolve ASAP.

                        Many thanks
                        Hi Tony,

                        Hugh, Dean and myself have spent today discussing this issue and continuing our investigation. I'm glad that Hugh has found a solution which you can apply immediately.

                        This is clearly a severe issue and worrying that you were not aware of the customisation that has caused it. Because of the severity, we have decided to take immediate action and will prevent the custom code from causing this issue - this will be applied to v18.0.2 which is expected within the next week.

                        We recommend fully testing any customisation to prevent issues like this from going live.

                        I will message Sam now and offer my assistance with the potential report from his customer.

                        Thanks,
                        Josh


                        Josh Barling
                        CEO | Sellerdeck Ltd

                        josh.barling@sellerdeck.com

                        Comment


                          #13
                          Hi Josh & Hugh.

                          Thank you for the rapid responses and the update.

                          The site was built by me with (lots) of help from Sellerdeck. It was created on sellerdeck 2011 and updated to 13 and 16.I certainly did not add it and dont even really know what it is about let alone know where to insert it.

                          The only code that has been provided externally was the pieces I sent you and have been verified as not causing the issue.

                          It is very worrying that this code is present in my site if I did not put there and it is not part of the standard build. Please can you confirm the file and folder (e.g. site1) that contains the code. I will try to trace it back to the original installation on 2011 and see when it could have been added?

                          Why do you think this is only starting to appear over the last couple of months?

                          Many thanks
                          Tony
                          www.secretgardenquilting.co.uk

                          Comment


                            #14
                            Please can you confirm the file and folder (e.g. site1) that contains the code.
                            As I said before:
                            The customisation is in the layout Checkout Shopping Cart Grid, not a file.
                            To find this:
                            1. Open the Design menu, Library, select Layouts tab.
                            2. Right-click a layout and select Find.
                            3. Click the Code checkbox.
                            4. Enter ACTINIC_CARTVIZ and click "Find Next Item".
                            5. That should highlight the layout where it appears.
                            6. Open the layout to verify,
                            7. Change the cookie name to SELLERDECK_CARTVIZ (two places).

                            Why do you think this is only starting to appear over the last couple of months?
                            As is clear from the original thread, and the post I quoted, this customisation immediately caused a problem in 2010.

                            It's possible that with GDPR having been publicised recently that customers are more alert to these problems and therefore have not dismissed them but have notified merchants.
                            Hugh Gibson
                            CTO - Sellerdeck, part of ClearCourse

                            Comment


                              #15
                              Tony,

                              I'm the author of that 2010 post that seems to be causing the trouble. It's not actually my code that's the problem but it seems that SellerDeck Perl scripts are being lazy in mishandling any cookie item name that starts with ACTINIC_CART.

                              1) To tell if you have the suspect code, go to Design / Library / Layouts. Right-click the top entry and choose Find. Type in CARTVIZ and check the Code checkbox (it won't hurt if all checkboxes are checked). Now click the Find Next Item and you'll be told if the code is there or not.

                              2) If you do find it, edit that layout and change it from ACTINIC_CARTVIZ to SELLERDECK_CARTVIZ. There should be two instances so do them both.

                              3) Finally, repeat the search (1) to be sure it's all gone.
                              Norman - www.drillpine.biz
                              Edinburgh, U K / Bitez, Turkey

                              Comment

                              Working...
                              X