Sears.com site defacement statement

Defaced how?

http://www.foxnews.com/story/0,2933,541221,00.html?test=latestnews

They can do electronical Grafitti?

Great!

Just paint'n over the real stuff, at the store, is fun ENOUGH!

Wow ... I saw this statement on the Sears facebook page earlier ... but I had no idea what they had done until now.  That's some nasty stuff!

Charming.

wow such a big deal it woke up thatmanguy

I'd suggest they look at people who are protesting Sears' sponsoring certain TV shows.

goodole312 said…

wow such a big deal it woke up thatmanguy

---

haha glad to be welcomed back goodole.  I'm one of those management guys so I've been busy preparing for the 4th quarter transition where I tear down Lawn & Garden to make room for the Toy Shop and additional floor space for Tools ... on top of being at work all the time because my people's hours keep going down down down so us salaried folk work more and more

I'd like to clarify the technical aspects of this prank. Basically, the Sears e-commerce site accepts URL parameters as a source for the category names. Some people over at reddit.com were playing with this by altering URLs to display silly category names for products. Of course, regular shoppers wouldn't normally see the change, since they would be using URLs provided by the Sears site itself. Ultimately, it's not a security hole (per se) since no live code could be injected (no SQL injection, XSS, or CSRF explots were found), but it has to be embarassing for the Sears web team.

The real problem occurred when the reverse proxy (this is guesswork now) started caching the category names for these products. If the category name was not provided, the proxy would substitute the last category name it had seen for the product—potentially one of the prank names. Regular users would still not see these names during regular browsing... until they did a search! That was unanticipated.

Finally, someone passed one of the stripped links to some news sites, who then picked up on the story. Being rather ****** news orgs, they didn't really do their research before running the stories. Go figure:

http://www.tmz.com/2009/08/20/the-perfect-grill-for-a-cannibal/

Anyway, the web team seems to have (at least temporarily) stopped the caching, or maybe they have even fixed the underlying problem by now. In any case, customer data was never at stake.

Sears contacted Conde Nast, the company that owns Reddit, and Conde Nast forced a Reddit admin to stop displaying the relevant discussion on the front page of the site (where it had appeared due to popularity.) The users are a bit ****** at that, but most understand that Sears was acting to protect itself.

Of course, such an issue *could* be indicative of actual security holes, but I am sure the web team is on its toes now, and the site will probably be safer because of this prank. :-P

Sears, instead of accepting they had badly designed their website, decided it was a better to send lawyers to social news website reddit to force them to censor user submissions.

You just lost a lot of customers.

Well, hell, when i think of a good time, I deffinately think of attacking the Sears website and posting a phrase that a 10 year old child would use in the place of a product description, because nothing gets my rocks off like demonstrating my IQ level to the entire world.

Pathetic, really, but I can't decide who is more pathetic. The attackers, or the News Websites like Reddit who over-inflated the story and made it into a huge "OWNED" statement... At least Fox News handled it professionally.

@reddituser: I doubt Sears actually lost any customers. For all we know, the publicity may remind people that Sears sells grills and power saws.

I too am annoyed that Conde Nast told spez to "censor" the post, but it's not like it was outright deleted. Pretty tame, really. It's easy to lose sight of what real censorship is: Silencing, intimidation, character assassination, pervasive misinformation campaigns...

But yeah, someone needs to write "I will not blindly echo user input" 100 times on the chalkboard.

does anyone know if there is a way to block internet on ur ipod touch and still have texting or aol?

@AzureIntelect2031, a couple corrections:

1. Sears was not "attacked". People were playing with the page URLs and crafting links that would put up silly category names. The persistence of the names due to very poorly written data sanitization/page component caching was unforseen. I agree, however, that sending the affected page URLs to TMZ was in poor taste.
2. Reddit did not inflate the story; the story started there. The trick was first posted on that site (after a member had been messing with Sears URLs for a year.) Once a bunch of redditors started playing with it, the trick began to affect the caches.
3. Fox News did not handle the story professionally. They pasted the most sensational bit in the headline, even while knowing that the category names had been changed by an external agent. A professional approach would have been to title the article "Sears website product pages temporarily defaced" (or similar.) Besides, this sort of thing happens all the time on the internet. Was it even worth running as a news story, if not for the shock factor of the headline?

Hmm. Point taken. But I still just find this whole "alteration" or "attack", whatever you want to call it, of any website, not just Sears, pathetic. Someone with that sort of ability should be putting it to good use, not being a Script Kiddie and messing around with nationally-visited websites.

I can understand why you call it "pathetic" or "childish". While I can't speak for any of the people who were actually involved in this, let me try to explain why I would have participated and found it enjoyable.

I am a hacker. That does not mean that I want to destroy data or invade computers, it means that I have an insatiable drive to tinker and explore. (The mass media seems to have picked up the former as their definition, though the latter is much older and more accurate.) There have always been hackers, but computers provide what is in some ways a richer playground for tinkering.

I find joy in making a system do something it was not intended to do. I am annoyed by barriers to tinkering. When I discover something new, I want to share it. These attributes are what drive hackers. Some (the white-hats) put it to good use, and in group efforts create suchthings as the internet and the web (which runs on top of it.) Some (black-hats) use their skills and interests for illegal and/or immoral purposes.

It's easy to get carried away when you're having fun, and computers make it harder to see that you are affecting other, real people.When those affected try to assign motive, all they can see is the damage they perceive (actual damage, or just a bruised ego.) The natural assumption is that the hackers wanted to cause damage, period.

Script kiddies are juvenile delinquents who happen to use computers, and they generally employ tools and tricks written by black-hat hackers to wreak havoc. (And they give real hackers a bad name! They are not looked upon kindly...)

Funny that you mention "putting it to good use". Hacking is how new ideas enter the world of software. Activities like this are just fun downtime play. (Also, an importanting part of writing secure software is to try to defeat security measures other people have written!)

Many hackers (not all) believe in "responsible disclosure", where security holes are reported directly to those who need to fix them. If the hole is not fixed, a public announcement is made, which at least empowers users to protect themselves. It's clearly not what happened here, which you are free to regard as childish, since someone allowed their sense of mischief to override their sense of helpfulness. Whether or not you feel that is immoral, immature, or irresponsible is up to you.

FOX isn't considered a news source in this house.  It's considered an infomercial at BEST.

i thought it was a comedy channel??

goodole312 said…

i thought it was a comedy channel??

---

True, true... the only two shows I watch on Fox are Family Guy and the Simpsons.  In fact, now that Hulu.com has both I find myself going there to watch it instead of Fox.

Fox is right-wing nutjobs and conspiracy theories.  You can get better news by reading the tabloids at the checkout stands.

 

 

rstinnett said…

FOX isn't considered a news source in this house.  It's considered an infomercial at BEST.

---

Well said.