Wal-Mart fixes site bug
Wal-Mart patches a glitch in its online storefront that gave some customers a peep into other's shopping carts.
The bug, while hardly a major security breach, demonstrated how often security problems appear in emerging technologies--in this case, online storefronts and e-commerce applications.
The information of about five Wal-Mart shoppers, including their names, addresses, and phone numbers, was exposed to about 30 people. But given slightly different circumstances, many more people's personal information could have been compromised.
The glitch didn't give anyone access to credit card numbers, but the problem also came at an awkward time for Wal-Mart just as the year-old online store is touting itself as a safe place to shop online.
Yesterday, the company endorsed a plan to protect credit card numbers through the SET (Secure Electronic Transaction) standard. SET is a newly finished protocol for using credit cards online, sponsored by Visa and MasterCard, which would automatically process charges for purchases made on the Internet.
But that won't be implemented until the summer, according to Wal-Mart spokeswoman Stacey Webb. In the meantime, some Wal-Mart customers are finding that the current system isn't foolproof.
Just ask Rickey Vice, a San Francisco resident who also works as a technical analyst. Vice discovered the problem last week after he got an email dispatch from Wal-Mart sent out May 29, advertising Father's Day sales.
The ad sent him to a page advertising deals for dads. When he clicked on a product, he was allowed to add it to a shopping basket without registering his own name. The process should have taken him to a set-up page where he would have entered his personal information.
It didn't. Instead, explained Brian Hess, Internet marketing manager for Wal-Mart, it took Vice to someone else's basket. That basket, in fact, belonged to a person in the marketing department who caused the glitch by making a simple human error.
When the Wal-Mart staffer added the link into the dispatch, he copied it from his browser as he was logged onto the system with his own personal customer number. That meant that anyone linking from the dispatch's hypertext link would have been registered as that particular marketing employee, since the link contained his personal number.
In other words, the online store automatically "thought" everyone linking from the dispatch was the employee. Therefore, anyone entering from the dispatch would have been able to view that employee's information.
But the problem didn't stop there. It was further compounded by the fact that when confronted with the wrong information, about five people took it upon themselves to correct it by inserting their own names, phone numbers, and addresses, Hess said.
Each time a subsequent person entered new information, the next person coming into the site would have access to that information.
Hess wouldn't say how many dispatches Wal-Mart sent out, but fortunately for the company, the distribution of the dispatch apparently was not terribly successful. In fact, only about 30 people linked to the page from the dispatch. In turn, only those people had access to the five or so who changed the form. The link has since been fixed and the employee number has been destroyed, Hess added.
But before then, the information of Kenneth Wyrick, a U.S. Army staff sergeant was one of those exposed. His name turned up when both Vice and CNET's NEWS.COM accessed the site through the advertisement.
Wyrick, reached at an Army base in Norway, said he frequently orders items from Wal-Mart, but had last ordered products about a month ago. Hess could not explain the time discrepancy.
Yet Wyrick said that when he went to shop there the last time, someone else's name appeared. He simply erased it and inserted his own.
"I wasn't that concerned because the credit card didn't come up," he wrote in an email message. He added that he thinks there's too much "paranoia" about private information being released over the Web.
Wyrick said he didn't mind his name and phone number being published, as long as it wasn't transmitted to "hundreds of thousands of people." He added that while this would not put him off shopping on the Net, it might discourage him from shopping at Wal-Mart.
Wal-Mart's Webb and Hess both emphatically emphasized that the problem doesn't put anyone's credit card numbers at risk, the great bugaboo of the Internet. Hess hastily noted that this was the first problem of its kind that Wal-Mart has confronted.
Regardless of what caused it, Vice, who discovered the problem, said he thought it was serious enough that the site should have been taken down immediately after he reported it to Wal-Mart on Friday.
"It's supposed to be a secure server. I might have been in the system, for all I know. If I were a cop or really wanted to protect my privacy, that's grounds for going after a person. You're not supposed to see this information."
Hess said he hadn't heard about the problem until contacted this morning by NEWS.COM.