Customers details apparently on View

[welshop.com]

Hi

Just had a frealed out customer phone up saying her customer account had been hacked and she has had to cancel all her credit cards.

The scenario is as follows - another customer visited our site and when she found something she liked she added it to her basket ready to create an account whereupon it immediately took this customer into the other customers account.

This customer who could see the other customers info mailed her telling her how she got her email address and why she was mailing

She ended by saying

>As i work in new media i realise just how very poor security this is
>and am
>worried for your personal details. Of course i logged out and didn't place
>the order as it would have a) been on your account and b) i now don't trust
>the site and will get the gift from elsewhere.

Any idea how I can varify if this actually happened and if so why

More bad news is that the site is still using 1.2.6 (???? i have just noticed that in admin it says that the Version of Zen Cart appears to be Current ............something is seriously wrong here !)

Any help would be appreciated

Cheers
Brinley

[Sudakoma]

I have noticed something very similar while using the who's online tool. Ocassionally when clicking on the same product that the customer is looking at, from within admin; i am actually logged into the customers account and can see all their account details!!

I have searched the forums but havent found anything like this posted by anybody else until now. BTW. Im using 1.3.02

[samad64]

this is normal.. yes it isn't secure but its the customers fault in this case (unless something is terribly wrong with your cart)

basically.. whenever customers click around.. they don't realize that there is an "ID" of some sort in the url (zencart uses zenID). If they are logged in, and have that zenID in the URL.. and copy paste that URL somewhere.. anyone who clicks that link will be logged into that customers account. It may not be so if the customer logged out and logged back in (assigned a different zenID) but im assuming they did not

[emtecmedia]

I have just sent out a newsletter and the links i used within the newsletter include the zenid value from when i was logged in to the site and i copied the links. We have now had customers start clicking on links within the newsletter and start buying products under other peoples names and all sorts...

Is there any way to fix this problem? These links could be clicked anytime over the next month and cause havok within our system.

Your urgent help is much appreciated, thank you in advance!

Brad.

[DrByte]

You don't have many options there.

1. Don't do that

2. Admin->Configuration->Sessions->Recreate Session ... set to True
Hopefully your server configuration won't have a problem with this setting.

[emtecmedia]

Here is a quick fix to the problem for anyone else you experiences it:

using ftp download the
includes/application_top.php
search for zenid, rename it to session

save and re-upload...


make a backup first before ever making any changes

Long term solution is to upgrade to the new version of zc :)

[wk4hm]

Did you end up solving this issue as I just had a customer experience the same issue.

Thanks

[emtecmedia]

See my post above.