Todashi Posted February 23, 2007 Share Posted February 23, 2007 As the subject line says, this is a weird one. I got an e-mail from a customer this evening, let's call him Customer B, complaining that when he purchased an item, the acknowledgement e-mail sent back to him to acknowledge receipt of the order listed somebody else's name and address. He was concerned that his account had been compromised and that his credit card details might be associated with a different user. I don't think there is any real damage done because I only accept Paypal, and so I don't think his credit card details could be compromised. Even so, I need to know what the hell happened in order to continue letting people submit their CC details. Here's what seems to have happened: Customer A (who I happen to personally know, thankfully) went onto my webstore around the same time as Customer B, and both tried to purchase the same item from the webstore. Customer B registered an account with the webstore, however, Customer A tried to do it without registering an account - he figured that as he already had a Paypal account, he didn't need to. Customer A essentially seems to have tried to just click through the process to pay for the item but when he did so, he says he somehow managed to get presented with Customer B's contact details located in Customer B's account. I have no idea how or why this happened - I think he managed to find a bug in the OSCommerce software that runs the process. Customer A ignored this strangeness and tried to click through and pay the bill - when he did he noticed it listed TWO payments for the item in question, even though he only selected it once. It seems Customer A's order and Customer B's order got mixed somehow and were treated by the software as one user with one account. Customer A reset the counter to one selection of the item and then clicked pay and his paypal account was debited to send me money to my account. I didn't receive any cash from Customer B, although I did get an irate e-mail wondering who Customer A was and why was Customer B getting e-mails to his e-mail address with Customer A's details in them. Anyone have any idea what's going on? Quote Link to comment Share on other sites More sharing options...
Todashi Posted February 24, 2007 Author Share Posted February 24, 2007 There have been no replys to this mail, but I'd really like to appeal to somebody to help me with this. I've searched this forum and every other OScommerce resource I can find and there are loads of references to this exact problem . . . but no explanations of why it occurs or solutions to how to fix it. This is a really serious issue - it represents a major security breach in my webstore and actually breaks the data protection act where I am located - this needs to be sorted or I have to close my web store. Doesn't anyone know what the problem is? Can anyone provide me with a link to where this has been comprehensively addressed? Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.