Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

HELP - Weird customer account mixup . . .


Todashi

Recommended Posts

As the subject line says, this is a weird one. I got an e-mail from a customer this evening, let's call him Customer B, complaining that when he purchased an item, the acknowledgement e-mail sent back to him to acknowledge receipt of the order listed somebody else's name and address. He was concerned that his account had been compromised and that his credit card details might be associated with a different user.

 

I don't think there is any real damage done because I only accept Paypal, and so I don't think his credit card details could be compromised. Even so, I need to know what the hell happened in order to continue letting people submit their CC details. Here's what seems to have happened:

 

Customer A (who I happen to personally know, thankfully) went onto my webstore around the same time as Customer B, and both tried to purchase the same item from the webstore. Customer B registered an account with the webstore, however, Customer A tried to do it without registering an account - he figured that as he already had a Paypal account, he didn't need to.

 

Customer A essentially seems to have tried to just click through the process to pay for the item but when he did so, he says he somehow managed to get presented with Customer B's contact details located in Customer B's account. I have no idea how or why this happened - I think he managed to find a bug in the OSCommerce software that runs the process.

 

Customer A ignored this strangeness and tried to click through and pay the bill - when he did he noticed it listed TWO payments for the item in question, even though he only selected it once. It seems Customer A's order and Customer B's order got mixed somehow and were treated by the software as one user with one account.

 

Customer A reset the counter to one selection of the item and then clicked pay and his paypal account was debited to send me money to my account. I didn't receive any cash from Customer B, although I did get an irate e-mail wondering who Customer A was and why was Customer B getting e-mails to his e-mail address with Customer A's details in them.

 

Anyone have any idea what's going on? I've searched this forum and every other OScommerce resource I can find and there are loads of references to this exact problem . . . but no explanations of why it occurs or solutions to how to fix it.

 

This is a really serious issue - it represents a major security breach in my webstore and actually breaks the data protection act where I am located - this needs to be sorted or I have to close my web store. Doesn't anyone know what the problem is? Can anyone provide me with a link to where this has been comprehensively addressed?

Link to comment
Share on other sites

Aargh - I can't believe this slipped three pages in 12 hours and nobody has commented on it - If this is a common problem, I would think it would interest every single user of OScommerce as it effectively renders the software inviable.

 

If it's NOT a common problem, can somebody put me out of my misery and direct me to a solution?

Link to comment
Share on other sites

  • 4 weeks later...

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...