haim
Etsy Admin
haim says:
Here’s a quick update on some of the bigger bugs we’ve been fighting…- The cookie/login issue
We’ve found a bug in how we generate random data that could possibly result in login “collisions”. It’s our theory that user A would login and get his random data token. Sometime thereafter user B would generate the exact same random data thus grabbing user A’s session. We’ve got a short term fix in the works that will highly decrease the chances of that happening. It’s our goal to have that fix pushed out early Wednesday AM EST. In addition we’re working on a larger long term fix to better handle cookies in general.
- 500 errors on the bill pages
Users with a large amount of unbilled charges or a large amount of charges under a single bill would generate “500 errors” when loading pages. We’ve got a fix in the works to paginate out these pages which should resolve the issue.
- Images not loading/hanging
This one is a horrible ghost in the machine. The crazy randomness of this issue along with an inability to recreate on demand is making this one incredibly difficult to track down. We’ve got people looking over every single part of our system to try and find where this gremlin lives. I don’t have any updates for you as of yet, but it’s something we’re all working on.
[Editor-added bolding]
These are updates on issues we covered previously:
Users reporting seeing other people’s account info which continued from our original coverage.
March 18th, 2008 at 10:30 am
i think i linked back to this thread on the etsy forum thread to alert users that this is a ‘long standing’ problem
cannot remember if i suggested screenshots of non-sensitive material
March 18th, 2008 at 9:45 am
Something interesting about the last round of problems with the web accelerator/wrongful-login issue last time was that it appeared several users who logged in and found themselves in an account which wasn’t theirs were in the same user’s account. Ramona.etsy.com. (I remember this because she’s user 666.)
I wish we had more of an idea of how deep the breach goes. Like instead of people logging in and logging right back out, someone (trustworthy, please) would do some exploring to see if they’re able to see private information or affect listings or the shop.
Amazon sometimes appears to have that web-accelerator issue. I’ve had incidents where I pasted a link to an Amazon listing which I accessed while logged in, and others clicked the link and were superficially in my account, but if they tried to access secure information, it didn’t work. It’s very unnerving to know this is going on, but not as bad as it could’ve been.
March 17th, 2008 at 7:15 pm
I saw that thread ebb, and it’s very worrying. Etsy did finally put the no-cache headers on their pages so this can’t be the identical cause as before. The OP in that thread also said they did not share a computer, which was one of the excuses Etsy gave last time this happened. (even though most of the previous victims of the bug also did not use shared computers)
I would be curious to know if the OP uses any kind of web accelerator, since that was the cause last time, but the no-cache headers should be disabling the proxy caching that web accelerators use.
The other question I’d ask, if I were an admin investigating this, is the name of the other account she got logged into, and then find out if that other user uses the same ISP or uses a web accelerator.
I just hope the admins look into the issue seriously and don’t brush it off or tell the OP to clear their cache. That only solves the symptom but does nothing to resolve the CAUSE.
March 17th, 2008 at 11:11 am
is it happening again? http://www.etsy.com/forums_thread.php?thread_id=5522465
July 30th, 2007 at 2:01 pm
[...] info in these threads: http://etsynews.com/296/a-fix-in-the-works-for-security-issues/ http://etsynews.com/292/updates-on-viewing-other-user-pages-images-bill-page-errors/ [...]
July 28th, 2007 at 3:10 pm
It didn’t occur to me either until these last two cases. Before, I think it was mostly sellers swapping pages with other sellers. But the last two were sellers swapping with buyers, and you can’t swap a page that you don’t have.
July 28th, 2007 at 10:47 am
JB, thanks for that. I had never thought about the reasons some users were limited in what they could access once in another user’s account. The sellers logging into a buyer account makes a lot of sense.
July 27th, 2007 at 11:45 pm
I am not sure if there are more cases happening, or just more cases being publicly reported. It might have been a hidden iceberg before and now a little more of the berg is being exposed. I did always suspect there were more cases than we knew about. I am not sure why there was no admin reply in the main thread today when teaforbini had tried all the recommended fixes and STILL could not get out of the other user’s account!
I think when a seller gets logged into a buyers account, then only certain “wrong” pages will show. A buyer only has certain pages, less pages than a seller. For example when GreenEnvyDesigns is logged in as thenetherwood (a buyer only), they are seeing thenetherwood’s purchases because a buyer has a purchases page. They would see their own info on the shop page, bill page, etc. The buyer has no corresponding pages for those urls, so GreenEnvyDesigns sees her own pages there.
teaforbini saw someone else’s convos and favorites and purchases, she said it was a buyer only. But she could see her own shop page and bill page, because the buyer didn’t have those pages.
July 27th, 2007 at 11:26 pm
FYI
(doesn’t etsy have a CA office? CA customers?)
FTC Laws and Guidelines:
Another thing your online business needs to do is understand and comply with the growing number and complexity of state and federal laws regarding what companies are required to do in case of a known security breach. In California, businesses are subject to the following law:
1798.29. (a) Any agency that owns or licenses computerized data that includes personal information shall disclose any breach of the security of the system following discovery or notification of the breach in the security of the data to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. The disclosure shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, as provided in subdivision (c), or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.
1798.84. (a) Any customer injured by a violation of this title may institute a civil action to recover damages. (b) Any business that violates, proposes to violate, or has violated this title may be enjoined. (c) The rights and remedies available under this section are cumulative to each other and to any other rights and remedies available under law. In effect, even if a business was not responsible for the security breach in the first place, it is still liable for any cost to the consumer if it doesn’t immediately notify the consumer about the security breach.
July 27th, 2007 at 11:21 pm
Personally, I’m through with trying to convince Etsy staff that a live, ecommerce website isn’t the best place to experiment with being a programmer. They are tone deaf to anything but their own little mantras, and I’m frankly tired of being treated like I’m hopelessly old fashioned because I don’t think the most important qualification for an engineer is their “shine” or sense of humor.
It’s been asked if the current issue is related to the earlier MD5 hash table collisions. There’s no way to know WHAT is going on without further information from behind the walls.
It’s also been asked if it is reasonable and customary for programming issues to take as long to resolve as they seem to take the Etsy team. The answer is “No.” There are only three avenues for attacking a software issue. If the software has become unstable in the current environment, or is otherwise inappropriate for the current company needs, you either replace it, rewrite it, or scrap it. That’s the only choices.
Alchemy, for example, has sat unattended and “broken” for nine months. Any company I’ve ever worked for or with would have either rewritten it long before now (from scratch if need be), or deep-sixed it permanently. The month after month dragging-on effect and constant excuses makes the programming team look incompetent, apathetic, or both.
Etsy lost my business forever when they made it clear that community advocates are FAR more important than engineers. Their requirements (in writing) for the programmers that they were supposed to be hiring to fix the website problems suggested that experience would be good, but wasn’t a “must”. For a site already showing signs of major structural problems, and with the depth of responsibility INHERENT in handling ecommerce and thousands of members financial information, that kind of lack of oversight and common sense is unacceptable and irresponsible.