I signed up for a Target account



  • So... I came into the possession of a Target eGift card. Beforehand, I did do a little bit of research. Apparently there are (at least) 3 different kinds of Target gift card: physical card, eGiftCard, and Mobile GiftCard. An eGiftCard can be used on Target.com, and can be converted (!) to a Mobile GiftCard and used in-store:

    Okay, looks like I will need to have a Target account. So I go do that on my computer web browser. Note that nowhere during the registration process does it ever ask for my mobile phone number. Registration is with an email address and a password. There's no email verification step, but it does send a confirmation email upon successfully creating the account.

    Anyway, I would prefer not to install the mobile app if I can at all avoid it, so I go to the account and see that you can add gift cards. I went ahead and added the gift card. The account page doesn't change in any way to reflect that I added a gift card; the "manage GiftCards" link is still hardwired to /add-giftcard, but if I click "manage cards" (/manage-wallet) it shows the gift card:

    Okay, but the gift card details page doesn't display a bar code anywhere; there's nothing that could be scanned:

    Okay, fine, I'll download your 60-something megabyte crap iOS app. Whoops, it only runs on iOS 8.something or later, so my iPhone 4 isn't supported. :headdesk:

    Time to get creative.

    I set my browser to spoof an iPhone user agent string and visit target.com again. Now there's a "Mobile Gift Cards" in the menu, which takes me to... this page (note it doesn't even match the look & feel of the other mobile pages):

    There's that phone number and PIN I never set up when I created my account. In fact there doesn't seem to be any way to set them, anywhere. Maybe I have to go to "create account" in the mobile site to link my regular account with a mobile account or something?

    Nope... that doesn't work; I already have an account:

    Oh wait... look: in the menu, there's a login option that does have email and password fields:

    Success! Now back to > "my mobile gift cards"... and here's the same login page? what? :rolleyes:

    Okay fine... menu... hey there it is!!! "gift cards", and it sees that there's cash in there!

    Clicking that...

    FINALLY.

    No, there's no way to get to the equivalent page from the desktop version of the site. And WTF was even going on with the phone number thing? They have two incompatible versions of their login system running live at the same time?

    :wtf:



  • Still better than Sears/Kmart in that you can actually log in to Target's website.



  • Just for the sake of completeness I tried loading the mobile site on both Safari and mobile Chrome, to see if it actually works the same (since we've had issues with desktop vs. mobile vs. mobile-in-desktop mode :doing_it_wrong:).

    In both browsers, it refuses to scroll when one of the menus ( or ) is open. The "my mobile gift cards" link isn't even accessible. Everything else happens pretty much the same as the mobile screenshots I made while spoofing the user agent on my desktop.


  • Trolleybus Mechanic

    @anotherusername said:

    No, there's no way to get to the equivalent page from the desktop version of the site.

    Knowing Target, I'm willing to call this a WTF.

    Knowing Target's customers, I'm also willing to believe Target did that intentionally. Otherwise people would be bringing in their entire desktop and say "Lemma just set this up so you's can scan em for my eeeee-leectronic cashies". Or they'd take a picture of their desktop on their mobile phone-- at 320x240 blurry resolution. Or would take a picture of the "My Gift Card" page with the balance and no bardcode-- possibly also at 320x240 blurry.

    Basically, everyone involved in the Target chain top down to end users are drooling morons.

    Speaking of which:

    http://i.imgur.com/YpCTumk.png

    Let's play a game I like to call "Guess Where In The Framework They're Mishandling Passwords In Plain Text". Your only clue is the restrictions on what is allowed in a password.

    My guess is they take the password, create XML for a web call-- except they're handrolling the XML instead of using a library, and have never heard of character encoding-- and into that basket of WTF they're putting your plaintext password.

    For bonus points, guess where the SQL injection point is!



  • @Lorne_Kates said:

    I'm also willing to believe Target did that intentionally

    I'm sure they probably did, but why rather escapes me. They could easily provide a printable page.

    @Lorne_Kates said:

    Or would take a picture of the "My Gift Card" page with the balance and no bardcode-- possibly also at 320x240 blurry.

    They can do that anyway (I posted that screenshot). The gift card details page won't help them much, other than to check the card's balance, but it's there.



  • @anotherusername said:

    my iPhone 4 isn't supported.

    Uhh, yeah...I wonder why?

    This is extreme :doing_it_wrong:. You could compete in the Olympic sport of :doing_it_wrong:, and you would probably medal. :wtf:.


  • Notification Spam Recipient

    I kinda wonder if I can add this Target Gift Coin thing to an account then? Hmm...



  • @Lorne_Kates said:

    except they're handrolling the XML instead of using a library,

    I can only hope they're using that same library on both ends... Otherwise my password of hunter&2 might be interesting...



  • @rc4 said:

    @anotherusername said:
    my iPhone 4 isn't supported.

    Uhh, yeah...I wonder why?

    Virtually every other popular app runs on iOS 7. As in, the very latest and greatest version of the app runs on iOS 7. So far, the only thing I've missed out on was Siri, and I don't feel like I'm missing very much. The only things that would motivate me to upgrade is that it's relatively slow and doesn't have very much RAM, which means that apps get switched out very quickly when they're inactive.

    I know that I'm supposed to put my iPhone through a wood chipper every year and buy the newest shiny toy from Apple, but I'm perfectly okay to be :doing_it_wrong: when it comes to that.



  • @Lorne_Kates said:

    Let's play a game I like to call "Guess Where In The Framework They're Mishandling Passwords In Plain Text". Your only clue is the restrictions on what is allowed in a password.

    Maybe they're putting the password into a shell command without any escaping?



  • You are using a device that is 5 1/2 years old. That isn't a matter of "not buying the newest device every year."



  • It is perfectly adequate for virtually every other popular app.

    Actually it turns out that there was a version of the Target app that runs on iOS 7, and with a little bit of helpful coercing in iTunes (iTunes is TR :wtf:), you can get the app, and then convince iOS (iOS is TR :wtf:) to download the latest compatible version of the app instead of deadwalling the user with a "this app is not compatible" message.


  • Notification Spam Recipient

    @anotherusername said:

    a little bit of helpful coercing

    It's a good thing Apple has all these security mechanisms in place, otherwise anyone could download the previous version and install it with one click!



  • My dhromebook is 3 years old and it doesn't lack the ability to visit websites made this year.


  • area_can

    But is
    it res
    pons
    ive?

    :phone:



  • Devices should work for, like, 20 years. Our washing machine, boiler, gas heaters, fridge and car are all roughly that age. It's not the user that's TR :wtf: for keeping a device until it works, it's the decision by manufacturers to make the products break down or become unusable after a certain time.

    Or not a :wtf: because it's financially advantageous but an annoying thing.



  • Okay, so for what it's worth, I installed the latest version of the Target app that was compatible with iOS 7, and took some screenshots. After logging in, the "my GiftCards" option:

    😒

    :headdesk:

    I guess because it's an old version of the app, it's the old gift card login page? I dunno.

    Waste of space, anyway. Time to uninstall.


  • Discourse touched me in a no-no place

    Unless it's Discourse and then I'm not sure even the iPhone 6S is supported.


  • kills Dumbledore

    @anotherusername said:

    Actually it turns out that there was a version of the Target app that runs on iOS 7, and with a little bit of helpful coercing in iTunes (iTunes is TR :wtf:), you can get the app, and then convince iOS (iOS is TR :wtf:) to download the latest compatible version of the app instead of deadwalling the user with a "this app is not compatible" message.

    Had this exact problem trying to get Find My iPhone on my MIL's iPhone 4. You have to "purchase" the free app through iTunes or on a newer iPhone connected to the same Apple ID, after which it's on your account and can then be seen in the purchased list. You can then download it after lots of warnings about it not being the latest version. It's a fuckload of hassle



  • @Lorne_Kates said:

    guess where the SQL injection point is!

    But... but... after inadvertently releasing 40 million customer credit card details last year, they fixed all that! Because Capitalism and Competition and Informed Consumer Choice!

    Didn't they?


  • BINNED

    @ben_lubar said:

    Maybe they're putting the password into a shell command without any escaping?

    Let me create an account and test... let's see what password KeePass gives me...

    env x='() { :;}; echo vulnerable' bash -c "rm -rf / --no-preserve-root"

    Huh. Weird one. Oh well...


  • ♿ (Parody)

    @flabdablet said:

    But... but... after inadvertently releasing 40 million customer credit card details last year, they fixed all that! Because Capitalism and Competition and Informed Consumer Choice!

    Didn't they?

    Nah, they let it ride, because Artificial Barriers to Entry and Official Red Tape and Too Big to Fail.



  • Also Dominant Market Position, Abuse Of Market Power, Market Failure and a frankly astounding dose of Meh.


  • BINNED

    @boomzilla said:

    Nah, they let it ride, because Artificial Barriers to Entry and Official Red Tape and Too Big to Fail.

    Under a mixed economy, all successes will be attributed to government and all failures to the market and participants therein.



  • @Lorne_Kates said:

    Basically, everyone involved in the Target chain top down to end users are drooling morons.

    I shop at Target occasionally, for one specific reason: they sell high-grade dark chocolate, and the other major supermarket nearby does not.



  • I shop at Target specifically because they sell the one and only brand of 24-hour non-drowsy allergy relief medicine that actually works, according to my wife.


  • Trolleybus Mechanic

    @Mason_Wheeler said:

    I shop at Target occasionally, for one specific reason: they sell high-grade dark chocolate, and the other major supermarket nearby does not.

    @anotherusername said:

    I shop at Target specifically because they sell the one and only brand of 24-hour non-drowsy allergy relief medicine that actually works, according to my wife.

    I'll bypass the obvious "thanks, drooling morons" joke and modify my original statement with "almost everyone".

    Then again, people who shop wisely for specific items (rather than high-profit-margin impulse-item cell phone contracts) aren't REALLY Target's target demo.

    BTW: What brand of chocolate?



  • @Lorne_Kates said:

    BTW: What brand of chocolate?

    They have Godiva and Ghirardelli, which both make quite good 72% cacao products. 😋


  • Trolleybus Mechanic

    @Mason_Wheeler said:

    @Lorne_Kates said:
    BTW: What brand of chocolate?

    They have Godiva and Ghirardelli, which both make quite good 72% cacao products. 😋

    Ghirardelli, agreed. Good chocolate. Though I was surprised to find they were owned by Lindt.

    Godiva-- meh. Tried it a few times, but each time I'm reminded about just how much of the brand is marketing rather than good chocolate. Though if you're really REALLY into it-- check out Costco. You can get a beautiful gold box with 27 truffles for under $20. Or massive gift baskets for a literal fraction of the cost of buying the bars.

    If you ever come across Cote D'Or, try that. It's a really good "sweet spot" of high quality and inexpensive.


  • BINNED

    Also Dagoba. Vosges is good, and very creative, but overpriced.


Log in to reply