There have been more instances of this problem, seemingly beyond Admin’s earlier explanation, with no input from Admin as of yet on these new instances, captured with screenshots. Please see UEN’s earlier post for the situation, plus the new updates.
EDIT: Admin’s many locks and responses are reposted in comments below.
EDIT (by starrydesigns): Read about the latest incident here.
EDIT: (by Soap) - latest update here - click.
July 23rd, 2007 at 4:45 pm
Heavens. I have a lot of thoughts about this - not many of them complimentary. And I do take exception to the admin characterization of our concerned posts as “panic” and “sensationalism”. Below is a copy of some of the thoughts that I have shared with another Etsian (hope she doesn’t mind):
The real panic, I believe, must be on the admin side. This phenomenon truly has grave implications. It will only take one malicious opportunist to reveal just how serious this breach is. I do hope that they are, in fact, doing all they can to trace this out - but, even more importantly, they ought to be taking *pre-emptive* measures, such as the ones suggested in the last locked threads, to prevent further incidents. In fact, I’m going to keep my eye on the fora for new reports. If there are any, I will immediately inquire whether new safeguards have been implemented - and if not, then why. . . At this point, will all they do know, and the possible fixes to choose from, this should be, in my opinion, an issue of the past.
An ounce of prevention. . .
July 23rd, 2007 at 4:33 pm
Because that’s too simple, apparently.
July 23rd, 2007 at 4:27 pm
I just had a brainstorm in the shower. Instead of testing this and that and trial and error, why doesn’t etsy just ASK google what to do? Just contact them, and ask what code they need to use to prevent google accelerator from caching the pages. Don’t accuse google, don’t say “why are you ignoring my no-cache headers?”. Just politely ask for the optimum configuration of their meta tags that will definitely work on GWA. I am sure they know the behavior of their own software and have a template of meta tags that will block it.
Now there may be other accelerators and other ISP that use proxy caching and inline caching, and those may behave differently so that won’t be the cure-all for everyone. But at least it will work on the most obvious culprit.
July 23rd, 2007 at 4:26 pm
OK, my bad - I mis-typed, it’s MARCH. But that’s still been months.
I agree about the patronizing language - if people’s addresses can be viewed, that’s a problem. Or private communications, or whatever.
Bottom line - reproducible or not, there’s been multiple reports from multiple unrelated users and now multiple screenshots. If it’s something that can be done reasonably quickly using industry standard (like past cache dates), why are they delaying?
July 23rd, 2007 at 4:12 pm
Soap said,
July 23, 2007 @ 1:21 pm
“…BUT if they’ve KNOWN about this issue since FEB…”
——-
I’m not sure about that. sereneonion posted in March 2007 about accessing misocat’s Etsy bill. There was another comment in that thread that COULD have been a shared-computer problem, so I wouldn’t count on it being the same thing.
I saw related threads back before the V2 changeover. I don’t know what V2 changed, so maybe this is a different problem.
But yes, I’m also frustrated that they’re using loaded words like “sensationalism” and “panic” to describe our posts. Just this month, melisap, kitten59, and mygirlfine all have screencaps showing that this is an actual problem.
I hope they actually read through the threads. Looks like there’s a quick work-around by just retro-dating the meta headers.
July 23rd, 2007 at 3:39 pm
“While there are multiple documented cases, this bug is a very difficult thing to reproduce (which I understand is a big part of bug-hunting on the engineering side of things).”
…
I can respect that because it is a sporadic bug not a consistent one. However It would be especially difficult to reproduce if one does not have a web accelerator installed. I HOPE that one of their QA staff has installed that software on a spare machine to conduct these tests. The first step to reproducing the bug is to recreate the conditions under which it occurs.
July 23rd, 2007 at 3:37 pm
Stella replies:
stellaloella says:
We are definitely taking these reports seriously and are continuing to investigate the situation. Even though threads are locked, we have still cataloged the information. While there are multiple documented cases, this bug is a very difficult thing to reproduce (which I understand is a big part of bug-hunting on the engineering side of things).
At this time, we do not believe this glitch to be an actual security threat, but we do understand why people are concerned. We’ll keep you updated as more info becomes available.
Presently, while we need users to keep reporting these events, it is not beneficial for anyone to have a public panic on the forums (which is why previous threads were locked).
I’ll leave this thread open for those involved to report new information, but please keep it level-headed. Thank you.
I personally would like to apologize if it *seems* our attitude toward this is anything less than serious. I assure you we are not taking this lightly and are continuing to work on figuring it out and finding a solution for all those involved.
……………………………………..
The admonition to “keep it level-headed” and not start panic I find personally insulting. The locked thread was very level-headed and contained useful factual information. No one was screaming “the sky is falling”. If they have any dispute or disagreement with the factual or technical information presented, then they should correct it. Do not just paint us all as hysterical panic-mongers.
July 23rd, 2007 at 3:11 pm
New thread:
http://www.etsy.com/forums_thread.php?thread_id=5166279
July 23rd, 2007 at 3:09 pm
i am unnerved.
my page also has addresses of family to whom i send giftsfrom etsy sellers - i’m now annoyed that potentially their details might be broadcast
are convos the only thing that have been seen so far or are there other details coming out too?
July 23rd, 2007 at 3:02 pm
The lack of decisive action is very unsettling, to say the least.