June 18, 2008 at 11:09 am · Filed under Bugs, Listings, Site Security · By GreenMamba
Reports have surfaced detailing a glitch, or bug, in the listing process. Line breaks placed between paragraphs in the listing description seem to disappear at the last step (step 5 or page 5), resulting in a condensed block of text. It has been discovered that if the user clicks the ‘Finish’ button and the listing is published, all text appears to be formatted as it should be. Read about it here and here.
While trying to provide an example of the condensed description, another somewhat more alarming bug was discovered. A seller provided a direct link (instead of a screenshot) to the page containing the non-formatted listing description, as an example, and any user who clicked it ended up in that seller’s account. Access was limited to the one page being viewed (for example, clicking on ‘Currently For Sale’ in the left sidebar menu took me to MY current listings, not the other seller’s listings), but the fact that it could be accessed at all was cause for concern. The seller did end up with a duplicate listing of the item being listed. No word on whether that was caused by another user testing out the links and buttons, or by RD behind the scenes while he was investigating.
The security issue has been resolved. In the future, any direct links should lead to the brickwall graphic, accompanied by this textual warning “You’ve reached an error: You don’t have permission to change or remove this information. Go back” Thanks RD for the super-quick response!
The line-break issue is still under investigation.
RevolvingDork says:
There was an issue that allowed that final listing creation step to be viewed if the direct URL was given, but it’s now been corrected and is no longer possible.
Back onto the issue at hand, we’re checking out the spacing on step 5 and hope to have that solved soon…
Posted at 10:18 pm, June 17 2008 EST
http://www.etsy.com/forums_thread.php?thread_id=5670311&page=9
UPDATE by GreenMamba 6-18-08
The line-break issue has been resolved.
RevolvingDork says:
Thanks for your help in tracking this one down — it should be fixed up now!
Posted at 10:39 am, June 18 2008 EST
http://www.etsy.com/forums_thread.php?thread_id=5670311&page=10
September 4, 2007 at 4:31 pm · Filed under Customer Service, Laws & Regs, Privacy, Site Security · By GreenMamba
REVISED entry
Today, Etsians noticed what they thought was a new link at the bottom of the Etsy front page. The link is a clickable logo from TRUSTe, “an independent, non-profit organization whose mission is to build user’s trust and confidence in the Internet by promoting the use of fair information practices.” (from the Etsy Privacy Policy)
In fact, Etsy’s license with TRUSTe is NOT new, but it has been re-newed - and the TRUSTe logo is now much more prominent. The privacy policy that this license pertains to is the same as before, with the exception of these two differences, one made for clarity, one to provide additional info:
- In the original TRUSTe license, Etsy was covered under iospace inc. Now, Etsy is named as a company in its own right.
- The third paragraph in Editing and Deleting Account Information now contains an additional sentence (bold lettering added for identification):
If your personally identifiable information changes, or if you no longer desire our service, you may correct, update, delete or deactivate it by making the change on your member account page or by emailing our Customer Support at support@etsy.com or by contacting us by telephone or postal mail at the contact information listed below. We will respond to your request within 10-20 business days.
While this info may not be new, it has served as a reminder to us all to become acquianted with, and periodically refresh our understanding of, the various policies and rules that govern Etsy.
August 12, 2007 at 3:00 pm · Filed under Site Security · By Lis
Last night sellers discovered that an XML feed on Etsy’s API revealed the first and last names of all Etsy sellers and their latitude and longitude. For those of you who don’t know what an XML feed looks like, here is screen capture of part of the feed in question:
Despite it being late at night on a weekend, within an hour of being notified about this security hole, Etsy admin removed the first and last name and the latitude and longitude fields from the feed.
July 24, 2007 at 6:22 pm · Filed under Bills, Bugs, Customer Service, Etsy Communications, Images, Privacy, Site Security, Site Use · By The Janitor
Read here:
haim
Etsy Admin
haim says:
Here’s a quick update on some of the bigger bugs we’ve been fighting…
- The cookie/login issue
We’ve found a bug in how we generate random data that could possibly result in login “collisions”. It’s our theory that user A would login and get his random data token. Sometime thereafter user B would generate the exact same random data thus grabbing user A’s session. We’ve got a short term fix in the works that will highly decrease the chances of that happening. It’s our goal to have that fix pushed out early Wednesday AM EST. In addition we’re working on a larger long term fix to better handle cookies in general.
- 500 errors on the bill pages
Users with a large amount of unbilled charges or a large amount of charges under a single bill would generate “500 errors” when loading pages. We’ve got a fix in the works to paginate out these pages which should resolve the issue.
- Images not loading/hanging
This one is a horrible ghost in the machine. The crazy randomness of this issue along with an inability to recreate on demand is making this one incredibly difficult to track down. We’ve got people looking over every single part of our system to try and find where this gremlin lives. I don’t have any updates for you as of yet, but it’s something we’re all working on.
[Editor-added bolding]
These are updates on issues we covered previously:
Users reporting seeing other people’s account info which continued from our original coverage.
Image-loading issues.
July 11, 2007 at 5:10 am · Filed under Bugs, Editorial, Features, Privacy, Site Security, Site Use · By The Janitor
[JULY 22 UPDATE: two more Etsy users report they see other users' convos]
Have you ever logged into your Etsy account only to see yourself in someone else’s account? Some Etsy users have reported seeing this.
On July 2, Facade compiled some of the threads in which different Etsy users reported similar accounts of apparently accessing other Etsy users’ pages, including convos and billing page. These posts were as far back as Feb or Mar 2007. To simplify viewing, I’ve posted Facade’s original post in the thread beneath Chris’ response copied below, 8 days later (he also locked the thread):
RevolvingDork says:
The only way this phenomenom has occured is when a user’s cookies are read improperly or multiple users are logging into the same machine. When it does occur, it is not possible to see any private data or alter any part of another user’s account. It is just the username at the top of the page that is shown incorrectly.
If you experience this issue, be sure to do the following:
1. Deativate any web accelerator programs you have running
2. Click Etsy’s logout button
3. Clear your browser’s cookies
4. Restart your computer
5. Log back into Etsy
If you follow these steps, your login should work normally.
Posted at 3:04 am, July 11 2007 EST
(bolding added by editor)
The bolded part disturbs me a bit - what exactly does “when a user’s cookies are read improperly” mean? User #1’s cookies can be read as those for user #2 - on a different computer, possibly in different state or even a different country?
Had the thread not been locked, people could’ve asked Chris to clarify his statement.
EDIT July 11: Click here to post about Chris’ post above or about other concerns on this issue.
___________________________________
Facade’s original post:
facade says:
What’s up with that bug that puts people inside the wrong Etsy account?
I’ve seen mention of it scattered all over the place, and eclipse rounded up a few more. I think the problem’s falling through the cracks because people have posted in threads that dealt with unrelated bugs. So I’m gathering examples here.
fallinstyle:
Someone else created two treasuries using her userid. She wasn’t logged in at the time. Nobody ever figured out how it happened.
http://www.etsy.com/forums_thread.php?thread_id=5142500
HeatherLynnWhite:
Saw someone else’s convos while logged in to her own account.
(Don’t know if she would have been able to read the convos.)
http://www.etsy.com/forums_thread.php?thread_id=5144215
magicforestcreations:
Ended up in someone else’s shop.
http://www.etsy.com/forums_thread.php?thread_id=5144215&page=2
Taina:
Kept seeing someone else’s convos when trying to check her own.
(Don’t know if she would have been able to read the convos.)
http://www.etsy.com/forums_thread.php?thread_id=5115794
sereneonion:
Ended up in misocat’s account.
(Could access misocat’s Etsy bill. Could *not* edit/delete misocat’s listings, thank goodness.)
http://www.etsy.com/forums_thread.php?thread_id=5054346&page=2
Please, somebody fix this. Even if random people can’t open my convos, they could still read that first line in the summary. I’m especially worried that someone else was apparently able to make treasuries under fallinstyle’s i.d.
Posted at 5:08 pm, July 2 2007 EST
EDIT July 11: Another thread in which melisap reports she appears to be logged into another person’s account - click here to view the thread (Chris locked this one, referring it to Facade’s now locked thread - copied above):
melisap says:
There was a recent thread on this and I thought I would repost because 1- it happened again and 2- I was logged into the same person’s account as I was before. I didn’t go anywhere in her shop, but I did screen print it for ‘proof’. Refreshing the page cleared the problem and brought me back to my page.
It’s scary that this happened on two different computers and that I ended up in the same account. This could be dangerous…
Posted at 5:15 pm, July 10 2007 EST
(editor-added bolding)
melisap clarifies in an ongoing thread
Both times this happened to me were on two separate computers to which only I have access to. A home laptop and a work computer. I was logged into the same person both times, and I have a screenshot of the gal’s store I was logged into . . . .
In addition, it is NOT just the username at the top. I can view her ENTIRE store. The front page has ALL of her listings. I have a screenshot, so please do not say that this is just a username at the top issue . . . .
This account I have never seen before and on two computers to which only I have access to.
EDIT by starrydesigns
Chillionaire says:
Hi all!
I wish I had more information to pass along right now, but I do want to remind everyone that even if for some reason someone gains access to your account, it is impossible for them to view all your billing info. In order to change any billing info, it must all be re-entered and card numbers are not visible to even you.
We hope to have more on this soon, and we will be sure to keep you updated.
—>Lori40
Posted at 2:30 pm, July 11 2007 EST
Another thread locked:
RevolvingDork says:
Shutting this down to prevent panic due to sensationalism — There is no known issue with login security on Etsy. If you are having issues, please bring them up with specifics in a new thread
Posted at 8:16 pm, July 11 2007 EST
[EDITOR'S NOTE: I will edit this when I have more time and I have had some sleep]
