CNET también está disponible en español.

Ir a español

Don't show this again

Christmas Gift Guide
Tech Industry

Wal-Mart bug allows peep at shoppers

A glitch in Wal-Mart's online store is letting some users view personal information about other shoppers.

A glitch in Wal-Mart's online storefront is giving customers a peep into other people's shopping carts.

The bug allows shoppers to randomly view personal information of other shoppers, including names, addresses, and phone numbers. While it does not give anyone access to credit card numbers or pose a serious security hazard, the problem does come just as Wal-Mart is touting itself as a great place to shop online.

Yesterday, the company announced that a plan to protect credit card numbers by implementing the SET (Secure Electronic Transaction) standard. SET is a newly finished protocol for using credit cards online sponsored by Visa and MasterCard that would automatically process charges for purchases made on the Internet.

But that won't be implemented until the summer, according to Wal-Mart spokeswoman Stacey Webb. In the meantime, some Wal-Mart customers are finding that the current system isn't foolproof.

Webb, reached this morning, said the glitch was caused by a "bad link" and that technical people are working to rectify it. But it appears that the company did nothing about the problem for at least 72 hours after it was reported to customer service by a Wal-Mart shopper.

Rickey Vice, a San Francisco resident who also works as a technical analyst, discovered the problem last week after he got an email from Wal-Mart advertising Father's Day sales.

The ad sent him to a page advertising deals for dads. When he clicked on a product, he was allowed to add it to a shopping basket without registering his own name. The process should have taken him to a set-up page where he would have entered his personal information. Instead, it took Vice to someone else's basket.

He was allowed to "put" items in that basket and then view the personal information of the basket's "owner," including the person's name, address, and phone number.

"I bet everybody who got the mailing ran into this problem," Vice said. "That's got to be a lot of folks."

Customers who entered Wal-Mart through its front door apparently do not encounter the glitch.

Vice said he reported the problem to a customer service representative on Friday. But last night and this morning, the problem still existed and was replicated by CNET'S NEWS.COM. When both Vice and NEWS.COM went through the same process, the name and personal information of Kenneth Wyrick, a U.S. Army staff sergeant, showed up.

Wyrick, reached at an Army base in Norway, said he frequently orders items from Wal-Mart and that he had last ordered products about a month ago. In fact, Wyrick said that when he went to shop there the last time, someone else's name appeared. He simply erased it and inserted his own.

"I wasn't that concerned because the credit card didn't come up," he wrote in an email message. He added that he thinks there's too much "paranoia" about private information being released over the Web.

At first, he shrugged off the problem: "My name's in the phone book." But after thinking about it, he changed his opinion. "If my name and address is being transmitted to hundreds of thousands of people, it may become an issue that could concern me greatly."

He said this would not put him off shopping on the Net but it just might discourage him from shopping at Wal-Mart.

Wal-Mart's Webb emphasized that the problem doesn't put anyone's credit card numbers at risk. But she couldn't say how long the glitch existed or how many people's names were exposed.

Vice, who discovered the problem, said he thought the problem was serious enough that the site should have been taken down immediately after he reported it to Wal-Mart on Friday.

"It's supposed to be a secure server. I might have been in the system, for all I know. If I were a cop or really wanted to protect my privacy, that's grounds for going after a person. You're not supposed to see this information."