Would You Consider This A Design Flaw?
I was on the Wish List page on tenderfilet.com and noticed a search box. Being a curious monkey I entered ‘h’:
I was surprised to see this list pop up. The screenshot below is a partial screenshot of the results page:
It has the customer’s full name and address. Would you consider this a design flaw?
Yikes, I would say so.
I’m not a SQL or database whiz, but I’m guessing the lookup query is written in such a way that takes what you enter (h) and attaches wildcards before or after it, resulting in every email with an H in in. Their development team should take a serious look at this.Reply
You are right, that’s exactly what’s happening at the code execution level. Here is the clincher, I bet the marketing team at tenderfilet.com is not even aware of this design flaw. Luckily they don’t list email addresses or their competitors could have done some serious damage.Reply
Nope! As long as it shows more results, rather than less results, it’s alright.Reply
From a user point of view, more information is better.
Here’s the problem though. If they are showing contact information, someone can call the customer, claiming to be from Tender Filet, and try to solicit credit card information. This happened to one of my clients before, and it was an absolute disaster.
I’m all for usability, but Contact information should never be that available on a public site.Reply
Its an interesting issue. As you guys discussed, they are taking the letter and if any name has that letter it is showing the results. However if you type something like “hh” or “aa” nothing shows up. I don’t consider this as a design flaw, because what is the real flaw? User is supposed to enter a name to search, however they accidentally typed just a letter such as “h”–whats the bid deal showing what they are showing? As they are not revealing any sensitive date, I don’t find it to be problematic.Reply
You have a valid point. But if someone is looking to buy a gift item I suspect they would know a few letters beyond the recipient’s initials. This is certainly not a security breach, just poor programming standards in my opinion.Reply
with plans to implement public wish lists on my own store, this is interesting.
As long as no contact details are being share or explicitly with the user’s consent, this should not be an issue. But on the other hand, having a minimum of say 3 letters before executing a search and input of location might also be good.
or should the urls be based on some alias and let the user have the responsibility of sharing it with the people.
The two approaches totally differ based on what consumers would ideally want.Reply