Form handling WTF





  •  What exactly is the WTF?



  • Hit refresh a few times. 



  • @ammoQ said:

     What exactly is the WTF?

    Notice how most of the fields are pre-filled?

    http://www.renault.co.uk/competition/britishgrandprix.aspx

     




  • @ivix_b said:

    Hit refresh a few times. 

     

    I think the theory here is that you COULD have put at least a small explanation in your OP.



  • @ivix_b said:

    Hit refresh a few times. 

     

    ouch. 



  • @dysmas said:

    @ivix_b said:

    Hit refresh a few times. 

     

    ouch. 

    Agreed.  ouch.  shit.  

    If I were a spammer/identity theft/general internet no-do-gooder, TDWTF forums would be a prime location to pick up info. 



  • @belgariontheking said:

    If I were a spammer/identity theft/general internet no-do-gooder, TDWTF forums would be a prime location to pick up info. 


    and probably are.



  • @Vempele said:

    Notice how most of the fields are pre-filled?

     

    No surprise since the originally posted URL contained some code of session identifier. 



  • Renault privacy statement

    We like to keep in touch with our customers, past and present, to make sure you're happy with the standards of service we provide and to keep you up to date with our latest products and services. RUK does not divulge information about customers to anyone other than its authorised dealers and its commercial partners who provide finance, motor recovery, breakdown and other insurance services.



  • HOLY FLURKING SCHMIDT!!!!



    That's AMAZING. Now who's brave enough to start phoning people from the list, congratulating them on winning Silverstone tickets and telling them to pick them up on the day?


    >:-D



  • @ammoQ said:

    @Vempele said:

    Notice how most of the fields are pre-filled?

     

    No surprise since the originally posted URL contained some code of session identifier. 

    If you close the page and go back to it (same session ID) you will get another set of personal data. Repeat until your spam targets list is full.



  • If we were a conscientious community, someone would write a script to email them all to tell them about the security hole. The script CERTAINLY wouldn't send emails titled "Congratulations, you've won Silverstone tickets", and DEFINITELY wouldn't encourage hundreds of people to drive to Silverstone to pick up non-existent tickets, as that would make the national news and would force Renault to examine their site security and it DEFINITELY CERTAINLY POSITIVELY wouldn't be really cool.






    Also, one day, Nick Sellors (a silverstone competition entrant) will google his own name and find this post. Hello, Nick.



  •  It stays the same when I refresh.



  • @dhromed said:

     It stays the same when I refresh.


    It only gives you the details of the most recent entrant. In this case, our good buddy Nick Sellors.



  • I remember previous versions of FFX -- or was it the Mozilla browser -- had an update-checker built into the bookmarks.

     



  • How did you get that full URL?

    It is not the one linked from the Renault site



  • @GettinSadda said:

    How did you get that full URL?

    It is not the one linked from the Renault site

     

     

    Umm... it's a session ID... how else do you get a Session ID?



  • @curtmack said:

    @GettinSadda said:

    How did you get that full URL?

    It is not the one linked from the Renault site

    Umm... it's a session ID... how else do you get a Session ID?

    Even though I'm not a web developer (shock horror, yes not all visitors here are web developers!) I figured out that was roughly what the info was, but not how you craft it into a url.

    Do some browsers show it in the address bar when you visit the page (Firefox doesn't), or is it just a 133t h4x0r trick that any n00b should know? 



  • I've seen this before in an e-commerce web app I inherited from someone else a long time ago. The problem in that case was that the page set the session ID in the querystring, therefore when people sent each other e-mails with links, or when a search engine spidered the site, or when another web site offered a link to it, visitors would end up sharing the same session IDs, and by consequence, their shopping cart contents and billing information.

    That was scary. And stupid.

    -dZ.


  • Here's a better link -- the OP link has a %20 appeneded onto the end, causing it not to work:



    <a href=http://www.renault.co.uk/competition/britishgrandprix.aspx?cc=GP080103&WT.mc_id=BGP02&rukid=99926102T>http://www.renault.co.uk/competition/britishgrandprix.aspx?cc=GP080103&WT.mc_id=BGP02&rukid=99926102T





  • It still works in Opera for me.


  • Discourse touched me in a no-no place

    @digitalcircuit36939 said:

    It still works in Opera for me.
    Same here, though refreshing doesn't appear to be changing the details.

    One thing I did notice earlier - none of the phone numbers appear to have a leading zero.

    I wonder what they're being stored as...



  • @PJH said:

    One thing I did notice earlier - none of the phone numbers appear to have a leading zero.

     

    The Register said it's fixed but I can still see Nick Sellors' details.  Hi Nick!

    01332 is the dialling code for Derby so I reckon they're just being stored without the leading zero.  Imagine the extra expense if they stored the zero.



  • @GettinSadda said:

    @curtmack said:

    @GettinSadda said:

    How did you get that full URL?

    It is not the one linked from the Renault site

    Umm... it's a session ID... how else do you get a Session ID?

    Even though I'm not a web developer (shock horror, yes not all visitors here are web developers!) I figured out that was roughly what the info was, but not how you craft it into a url.

    Do some browsers show it in the address bar when you visit the page (Firefox doesn't), or is it just a 133t h4x0r trick that any n00b should know? 

     

    Nothing to do with browser. Some sites are stupid and put session ID information in the URL.

    All I was saying is that he got a session ID by registering and being assigned a Session ID. Or he got the link from someone who did, etc. 



  •  Someone should send Nick a screengrab.  Although the poor guy is probably being spammed to Netu and back so he likely wouldn't get it.

    And they think they fixed the problem...



  • That form uses JS validation. Some fields are emtpy. Nick does not use JS...



  • Stripping some of the params still shows our friend Nick:

    http://www.renault.co.uk/competition/britishgrandprix.aspx?rukid=99926102T

     



  • Aaaaand they've fixed it- only <font size=4>TWENTY-ONE HOURS</font> after they said they'd fixed it. Nice work, Renault.



  • I recently did some integration work for a small business involving jobs board software. The software in question used a session ID it passed around everywhere in query strings (REALLY annoying for maintenance - forget to include it in a URL and the user gets logged out when they click the URL). Alas, when the site was launched and the business sent out an email to their "interested" list to publicise it, they copy-pasted the URL of the registration page into the email, containing - you guessed it - the session ID. Everyone who clicked the link found themselves already logged in. As an administrator, no less. <sigh>


Log in to reply