Comments 7

  1. Yikes, I would say so.

    I’m not a SQL or database whiz, but I’m guessing the lookup query is written in such a way that takes what you enter (h) and attaches wildcards before or after it, resulting in every email with an H in in. Their development team should take a serious look at this.

  2. Post

    You are right, that’s exactly what’s happening at the code execution level. Here is the clincher, I bet the marketing team at is not even aware of this design flaw. Luckily they don’t list email addresses or their competitors could have done some serious damage.

  3. Here’s the problem though. If they are showing contact information, someone can call the customer, claiming to be from Tender Filet, and try to solicit credit card information. This happened to one of my clients before, and it was an absolute disaster.

    I’m all for usability, but Contact information should never be that available on a public site.

  4. Its an interesting issue. As you guys discussed, they are taking the letter and if any name has that letter it is showing the results. However if you type something like “hh” or “aa” nothing shows up. I don’t consider this as a design flaw, because what is the real flaw? User is supposed to enter a name to search, however they accidentally typed just a letter such as “h”–whats the bid deal showing what they are showing? As they are not revealing any sensitive date, I don’t find it to be problematic.

  5. Post

    You have a valid point. But if someone is looking to buy a gift item I suspect they would know a few letters beyond the recipient’s initials. This is certainly not a security breach, just poor programming standards in my opinion.

    1. with plans to implement public wish lists on my own store, this is interesting.

      As long as no contact details are being share or explicitly with the user’s consent, this should not be an issue. But on the other hand, having a minimum of say 3 letters before executing a search and input of location might also be good.

      or should the urls be based on some alias and let the user have the responsibility of sharing it with the people.

      The two approaches totally differ based on what consumers would ideally want.

If the comment section remains empty I'm going to lose my job

Your email address will not be published. Required fields are marked *

The maximum upload file size: 50 MB. You can upload: image. Links to YouTube, Facebook, Twitter and other services inserted in the comment text will be automatically embedded. Drop file here