EDIT: I originally posted this as members-only, but after some thought, I think it should be shared with the community as a whole. But please read and CHANGE. YOUR. PASSWORDS.
I know there's been some fuss in this community regarding DF's customer service, which I've experienced myself. But now there's an issue that I can no longer keep quiet.
I am a software engineer, and I work primarily in web development and security.
Issue one: DistinctiveFabrics.com processes their passwords in plaintext. This means that if you log in on a less-than-secure connection, there's a chance someone could steal your login information. Ok, ok, so it's Distinctive Fabrics, who cares? Well if you're like a majority of people, you MIGHT do what security professionals have been telling you not to do for years and reuse passwords ;) (No shame, I'm guilty of it too!) Is your DF account password the same as your bank account login, your Paypal, or anything else sensitive? If so, CHANGE. YOUR. PASSWORDS. NOW.
My roommate (also a software engineer) was able to snatch up my password and log into my DF account from his own computer in mere minutes, using a program that's readily available called Wireshark. This sort of attack is trivial, and is also a great reason to avoid unsecured wireless connections and to maintain a different password for each account you have.
QUICK EDIT: Uploaded the screenshot with a sample login and password being transferred in plaintext http://imgur.com/JcoZ76G
The second, more complex issues is...
While checking on a recent order (where items had been discontinued and not noted on my order, and where items had been left off), I noticed that my account listed one of my older orders, but not my most recent, under My Account > Orders.
I wanted a digital copy of my old receipt, so I simply edited the URL to my current receipt number, and was automatically taken to my newest receipt--which is normal and correct. However, the curious security professional in me decided to try entering a random order number to see where it would take me.
I was able to access dozens of other customers' orders, including their name, shipping address, personal phone number, order contents, order date, and personal email address. I am personally uncomfortable with this information being essentially wide open for potential abuse. Please keep in mind that this data wasn't found through "hacking"; anyone who can use the keyboard can do this.
I contacted DF about this potential issue, including screenshots and detailed descriptions of my methods, on October 15th. They responded with the following:
"First , let me thank you for the extremely important information you have provided in regards to the website. Our techs have been working on updating the site since it is showing sings of old age and they will work on correcting the issue."
It is now almost mid-December, and I am still able to access other customer information.
I'm not saying you shouldn't use DF ever again, but I think that we all need to be cautious when dealing with their site until they decide to fix things up a little.
I can provide proof images for everything I've stated here (including what I sent to the company itself), although I'd have to do a lot of editing for the ones that have other customer's personal info on them. Let me know if you're interested.
I know there's been some fuss in this community regarding DF's customer service, which I've experienced myself. But now there's an issue that I can no longer keep quiet.
I am a software engineer, and I work primarily in web development and security.
Issue one: DistinctiveFabrics.com processes their passwords in plaintext. This means that if you log in on a less-than-secure connection, there's a chance someone could steal your login information. Ok, ok, so it's Distinctive Fabrics, who cares? Well if you're like a majority of people, you MIGHT do what security professionals have been telling you not to do for years and reuse passwords ;) (No shame, I'm guilty of it too!) Is your DF account password the same as your bank account login, your Paypal, or anything else sensitive? If so, CHANGE. YOUR. PASSWORDS. NOW.
My roommate (also a software engineer) was able to snatch up my password and log into my DF account from his own computer in mere minutes, using a program that's readily available called Wireshark. This sort of attack is trivial, and is also a great reason to avoid unsecured wireless connections and to maintain a different password for each account you have.
QUICK EDIT: Uploaded the screenshot with a sample login and password being transferred in plaintext http://imgur.com/JcoZ76G
The second, more complex issues is...
While checking on a recent order (where items had been discontinued and not noted on my order, and where items had been left off), I noticed that my account listed one of my older orders, but not my most recent, under My Account > Orders.
I wanted a digital copy of my old receipt, so I simply edited the URL to my current receipt number, and was automatically taken to my newest receipt--which is normal and correct. However, the curious security professional in me decided to try entering a random order number to see where it would take me.
I was able to access dozens of other customers' orders, including their name, shipping address, personal phone number, order contents, order date, and personal email address. I am personally uncomfortable with this information being essentially wide open for potential abuse. Please keep in mind that this data wasn't found through "hacking"; anyone who can use the keyboard can do this.
I contacted DF about this potential issue, including screenshots and detailed descriptions of my methods, on October 15th. They responded with the following:
"First , let me thank you for the extremely important information you have provided in regards to the website. Our techs have been working on updating the site since it is showing sings of old age and they will work on correcting the issue."
It is now almost mid-December, and I am still able to access other customer information.
I'm not saying you shouldn't use DF ever again, but I think that we all need to be cautious when dealing with their site until they decide to fix things up a little.
I can provide proof images for everything I've stated here (including what I sent to the company itself), although I'd have to do a lot of editing for the ones that have other customer's personal info on them. Let me know if you're interested.