"At the moment some stranger is in her account as they keep adding things to her basket and she keeps taking them out."
A Reg reader last night spoke of the horrifying moment he realized an online store used by his wife was mixing up some of its online customers, allowing people to gain access to some strangers' personal information and order carts. In what appears to have been a server-side caching blunder, it was possible on Wednesday to click around the site, and whether logged in or not, see pages belonging to others, complete with their details and orders, we're told.What's more, during the security lapse, at least one person placed an order as another customer, charging that stranger's credit card, it was claimed. The website in question, we're told, belonged to uber-trendy fitness clothing e-shop Fabletics, operated by the TechStyle Fashion Group, previously known as JustFab Inc.
The glitch, which was said to have affected desktop and mobile versions of the site, now appears to have been fixed. The Register has obtained screenshots of web pages containing strangers' details, including names and phone numbers, served at random from the not-strictly-safe-for-work dotcom. "My wife has an account with Fabletics," our reader, who asked to remain anonymous, told us. "She tried to order some items tonight, but it turned out when she logged in, she was in someone else's account. At the moment some stranger is in her account as they keep adding things to her basket, and she keeps taking them out.
My wife's credit card was hit with transactions tonight
"By clicking around in their site I can access random customer personal details. Name, email, telephone number, address, account details, order history, etc. I could change someone's address if I wanted and maybe get stuff delivered. My wife informed them by phone but they didn't seem to think it was that serious. Not sure they realize how much their site is messed up."
Soon, their worst fears came true. "My wife's credit card was hit with transactions tonight from Fabletics," he added. "Clearly other people had access to her account. The bank phoned to check if they should block them as they flagged them as suspicious. Well done, Fabletics."
Meanwhile, another Reg reader, who also wished to remain anonymous for privacy reasons, alerted us after their daughter noticed something strange.
"She had been on the site and got someone else's details," our informant told us. "So I tried it myself: if you go on the site on mobile and browse any page other than homepage, it will log you in, you can then go to the customer details page, and see everything."
Cloudbleed: Big web brands 'leaked crypto keys, personal secrets' thanks to Cloudflare bugYouTube advert for a pair of men's shorts on Fabletics so I googled them, clicked the main page link, and it appeared as if I was logged-in as a user – I've never used them before," our anonymous tipster explained. "I clicked around and got to see a whole bunch of strangers' details."
This whole affair reminds us of the time Three UK's website accidentally revealed to visitors other customers' names, postal addresses, phone numbers, email addresses and more – all without asking for a login.
Valve's Steam store also once spewed players' private profiles to strangers, due to a caching issue. This tends to happen when a website employs a cache to serve previously generated pages quickly, thus avoiding building them on the fly every time they are requested. However, it all goes a little pear-shaped if the cache hands out the wrong pages to people.California-based TechStyle Fashion Group did not reply to requests for comment. Messages from its customer service team, seen by The Register, confirmed the multimillion-dollar online souk was aware of reports of data leaking from its pages, and was treating the kerfuffle as a matter of urgency.
We'll let you know as and when we get more info. ®
Tell us something we don't know: Tip us off securely.