Database Bug At Woot Leaves Reader Wary Of Ordering

Robear wanted to order from shirt.woot, but something strange happened when he went to register. After choosing a username and entering his e-mail address, he noticed that all of the forms were pre-populated with another customer’s information…including that user’s credit card information. He contacted Woot to try to find out what could have happened, but Woot either hasn’t figured it out yet, or just isn’t responding. (UPDATE: Response from Woot below.)

On September 28th, 2009 I saw a shirt that I wanted to buy on the famous shirt.woot.com website. I clicked the “I want one” button and created an account by supplying a username and email address. I was then taken to my account information page to fill in my personal information. This is where the problem began. To my surprise, almost all of the fields on this page were already pre-populated with another user’s information. This included the following information about that user:

- Their name
– Pieces of credit card information (xxxx-xxxx-xxxx-, expiry date)
– Their shipping address (this user’s place of work)
– Their billing address (this user’s apartment)

Although this user’s credit card number was luckily not revealed in its entirety to me, I am guessing that if I had left it untouched and simply clicked the “this info is correct” button I would have been able to complete my order and have it charged to this user. Upon seeing this user’s information, I immediately sent am email to Woot’s bug reporting address codeslaves@woot.com, alerting them to what had happened and to what I referred to as a “Massive Security/Privacy Breach”. I attached a screenshot of the information that was shown to me and I also asked that they remove the account I had created from their site and disassociate my email address and username from the compromised user’s account.

Two weeks passed, and I had still not received a response from Woot. So on October 12th, I then sent them a second email, this time to privacy@woot.com. I found this address in their privacy policy, and it is to be used to request removal of personal information from their database. I told them that I had not heard back from them and included my original email and screenshot. 18 days have since passed, and I have still not received any responses from anyone at Woot. I can also still log on to their site using the account I had created and see the other user’s information. I should also probably point out that this user works for what I will call a fairly well known organization in New York City. A simple web search confirmed this, as I was able to find this person’s name and email address on this organization’s website.

So, in total, it has now been 32 days and I have yet to receive any response from Woot. I personally find this unacceptable, considering the fact that I am trying to bring a problem with their site to their attention. I am wondering how I should proceed from here. Should I try contacting the other user and alerting them to the fact that their personal information has been leaked to me and potentially many other people? I would like this person to know that their information has been compromised, but I don’t know how they would react. I would prefer to do this anonymously. Also, should Woot not be obligated to respond to a personal information removal request within a certain time frame? If so, do you know what it is? What do I do If i never hear back from them?

As far as my relationship with Woot is concerned, I think it’s clear that I wont be purchasing anything from them anytime in the future.

Any e-commerce experts have any ideas about what could be going on? Have any other readers experienced customer database strangeness at Woot?

UPDATE: Woot has contacted Robear, and the company’s founder and CEO showed up in the comments to this post to express his point of view and concerns. Click here to go to the thread.

Unfortunately, this is indeed the first our team has been aware of this report or any similar circumstance. Robear, thank you for identifying the glitch and taking steps to contact us. My apologies for our communication problems after your unsettling experience. Our customer service team’s primary email (service@woot.com) should have been in the loop on the privacy address and we’re tracking down what may have occurred whether it was missed on our end or if perhaps a follow up was lost to you – in either case it is clearly our mistake for this not elevating to our development team with urgency. I would also like to confirm that we have the screenshot you supplied at this time and that is of great assistance in the matter.

As to the issue reported, be assured, no credit card information or even the ability to order would have been available with the profile mismatch that is described. We use ASP.net profile management web services from Microsoft that are in widespread secure use, but security of actual transaction information is protected by other features designed at woot. However, the population on your order form of a users name and address is an unacceptable fault to have occurred and we will take steps to ensure it doesn’t occur again.

As privacy geeks ourselves, we are obsessive about these matters and value the trust that others place with us. If anyone has a privacy related concern, I would like to make sure future communication issues do not occur. My email at woot is mrutledge@woot.com – if you or anyone else has a security issue that needs my awareness, please cc me on any correspondence. (also, side topic but if you have a service issue that’s not taken care of to your satisfaction, I would enjoy a direct report on that as well – while we set expectations low on service levels, we pride ourselves on responsiveness and take quick corrective action when necessary)

Thanks to the Consumerist and readers for being there as a resource to bring this to our attention, and thank you again Robear for your time involved. Once this matter is comfortably resolved, I hope we can share a chuckle on the irony of the shirt that it occurred on.

Matt Rutledge
Founder & CEO

(Photo: Brian Jackson Now)

Comments

Edit Your Comment

  1. MostlyHarmless says:

    Hmm never had that problem at woot. Even during the wootoffs.

    And in my experience, woot is fairly quick at getting back to you with answers. So I am guessing that they are still trying to figure out what happened.

    • xbinflux says:

      @MostlyHarmless: I actually had a weird issue during the last woot-off (this past Tues for those keeping score at home) where my login info would not work on any of the Woot sites. The odd thing was that my iPhone was still logged in and I could order (albeit slowly) if I wanted to. I sent an email to codeslaves and my issue magically disappeared in about 20 minutes (thankfully during an item nobody seemed to want).

      The crux of my story is that the Woot websites seems to be run by people who read email but aren’t great at replying to them. Its not really surprising to me, as I reply to about half of the email that I receive on the job that could warrant a reply if I had better manners. On the other hand, if the issue is one such as described above, I believe communication is not only polite, but required.

    • allknowingtomato says:

      @MostlyHarmless: I doubt Woot spent 32 days trying to figure out what happened and didn’t have any time to send a “we are looking into it” e-mail response.

      This is disappointing. I was also planning on buying a shirt from Woot, but if this is a problem on their end there’s no way I’m going to risk it. Still confused from a technological standpoint as to how the form can pre-populate someone else’s info without that person using that specific computer, tho.

  2. qwerty001984 says:

    Definately send him an email with what you sent to woot and the screen shot.

    At least they can check their statement for fraud and cancel the card.

  3. KTK1990 says:

    They could create a new email address with a different screen name then their normal names and email the person. I personally would contact them, and ask them to contact support also about the issue.

    • 339point4 says:

      @KTK1990: Agreed. It may sound creepy to contact a perfect stranger about such a thing, but if I were them I’d want to know what was going on. Also, having their help in contacting Woot couldn’t hurt.

  4. robodomo says:

    could someone else have used your computer?

  5. jordguitar says:

    How can another persons credit card number populate on the form? It doesn’t go out to the database or their servers during registration. I think his computer was used by someone else.

    • ben says:

      @jordguitar: Of course the information you submit goes to their server. There are multiple steps to the registration process. The first step involves choosing a username and password and giving them your email address. Then you submit the information and it checks to see if your choice of username is taken. If not, you’re given the opportunity to give the rest of your personal information (credit card, address, etc.) It was at this point in the process that this person ran into trouble.

      • jordguitar says:

        @ben: The database does not spit that stuff out into your browser cache and stores it. Its something on his end not woot.

        • ben says:

          @jordguitar: I don’t know why you think it has something to do with his cache.

        • witeowl says:

          @jordguitar: That’s not true. It does store the information on woot’s end and spits it back out into my browser. (It only displays the last four of CC number and you still have to resupply the card security code). I’ve ordered from home, work, and out and about on my phone, and it’s always worked this way.

          Because of the needed CC security code (3 digit number), the OP could not really have ordered, but it is concerning enough.

    • oloranya says:

      @jordguitar: If it was, it’d be likely he was at least acquainted with the person, which the OP implies he is not.

      • Eyebrows McGee (now with double the baby!) says:

        @Nicole: Unless he was in a computer lab or at a public library.

        But even then, the address would probably give a hint whether this was a local issue or a database issue.

  6. Esquire99 says:

    He seems awfully worked up about something that doesn’t even affect him personally. Why not just shoot an email to the guy whose information populated and let him deal with it? Seems like a waste of energy trying to correct a problem that doesn’t really have anything do to with you.

    • Mr_Human says:

      @Esquire99: Well, it does. His personal information is also potentially compromised. He did set up an account, after all.

    • egoods says:

      @Esquire99: That’s incredibly short minded. I have my information stored on Woot, as do many people who are readers here… if there’s a database problem like that then this is a serious issue. I’d like to think all wooters are like the OP and would try to correct the issue, but I feel that’s probably not the case.

    • Loias supports harsher punishments against corporations says:

      @Esquire99: He’s upset because, if it happens to someone else it can happen to him. It could happen to you!

  7. nweaver says:

    This is strange. Most eCommerce sites keep track of users by a cookie in the web browser.

    So there are two possible explanations: They messed up in their cookie->user mapping, or something on your end/in the network gave you someone else’s cookie. The former IS more likely, but not the only possibility.

    EG, if their cookie is dumb (no Error correction) and your disk/web browser corrupted it?

    Or is there perhaps a web proxy that changed traffic unusually? What sort of network connection were you using at the time?

  8. swedub says:

    It MIGHT be session related. A lot of sites use cookies and/or sessions to track a user through a transaction. Sometimes when people post a link to a page from a ecommerce site they inadvertently post the full URL with their current session id at the end. If you click that link you COULD continue their session. Though it all depends on the programming language the site is written in and so forth. Plus most of the time a session will expire so that can’t happen.

    There is also session hijacking: [en.wikipedia.org]

  9. scottr0829 says:

    He wouldn’t have been able to buy with that users info because, even if the info is saved, they never save the security code (CVN) from the credit card and you always have to enter the code into the form before you can buy the item. I usually miss putting it in and get rejected and have to resubmit.

    • elangomatt says:

      @scottr0829: I addition, you have to put in the woot password for that user too. I wonder if it would have needed the password for the users info that was populated, or it it would have taken the original person’s password for the order.

  10. Dondegroovily says:

    When you order a kitten from Woot (as in the picture), it comes neutered/spayed with all it’s shots and a complete vet checkup for $0.49. But there’s only 4 kittens, so buy now.

  11. boomerang86 says:

    Woot’s responses MIGHT have gotten snared by the OPs spam filter.

  12. xipander says:

    I’ve seen this happen one other time. Not surprisingly at the place I used to work for. It’s a _very_ rare occurrence and really hard to duplicate. Ours ended up being that if you already had x amount of people in the final/paying for your cart process and one person with an account and one person without an account that had to click the “pay now” button at the _exact_ same time then the person with the non account would get thrown in to the others session.

    Either way, it’s not like everyone’s seeing everybody elses info. This bug was probably there for 3+ months before anyone figured it out and we only had 4 reported cases of it happening, out of about 35k+ orders placed.

  13. Audiyoda says:

    I’m not eCommerce expert so I can’t comment on that.

    But I have contacted Woot on a few small issues – thankfully they were small because I never received replies. I love their deals, but I pick and choose deals wisely assuming if I have a big issue with the order it will go unresolved on their side.

  14. MyTQuinn says:

    Why are so many web sites the modern-day equivalent of Radio Shack from days gone by – insisting on buyers setting up an account and password, and storing personal information that later becomes part of a security breach? Just let me buy your product and be on my way!

    • K-Bo says:

      @MyTQuinn:because most people don’t consider the security concerns, and just want to not have to type their address every time they want to buy something.

    • madanthony says:

      @MyTQuinn:

      Because otherwise nobody would be able to get a bag of crap!

    • Lollerface says:

      @MyTQuinn: I agree … unfortunately 99% of online retailers force you to create an account but whenever possible I opt out of storing my credit card info for future use. I’d rather type it in each time then have it sitting in on a server somewhere.

  15. BabyFirefly says:

    This exact same thing happened to me on Amazon.com some time ago. Never got a response, so I ended up shutting down the account.

  16. chrisfromiowa says:

    I have wooted many times and never had a problem. Until I went with sellout.woot. I have been waiting 35 days for a refund on a tripod they never shipped me, they sent a replacement that was broken when they shipped it (the inner box had a hole in it the outer box was untouched). They even blocked my email when I asked 5 questions in a single week. I know I can be an ass and I have recomended woot to many people but now I look on woot as gambling. Dont buy anything you cant afford to lose.

  17. rickhamilton620 says:

    Yeah, was so close to ordering a shirt off of there…I’m so glad my indecisiveness stopped me!

  18. gStein_*|bringing starpipe back|* says:

    i’m in the “browser cache” bandwagon – it’s extremely unlikely that an ecommerce site would EVER pull from a DB upon account creation, unless you somehow managed to input a username (with correct password) of a previously registered user, and woot just kicked you to the “profile preferences” page… (in which case, you need to re-examine your password practices.)

    Without knowing more information, (whose computer were you using? has anyone else used the computer recently? do you have a program running that stores userdata? did the page load with userdata, or was there a noticeable delay before it was filled in? what’s the URL of the webpage that said data was pre-loaded on?) i don’t know what to say, but i’m siding with woot on this one – 33 successful woots and counting.

    Also, even if there was a legitimate problem, is there any reason OP needs to be contacted after the problem is fixed?

  19. snapster says:

    Hi – Snapster here at woot (Matt Rutledge, founder/CEO)

    Unfortunately, this is indeed the first our team has been aware of this report or any similar circumstance. Robear, thank you for identifying the glitch and taking steps to contact us. My apologies for our communication problems after your unsettling experience. Our customer service team’s primary email (service@woot.com) should have been in the loop on the privacy address and we’re tracking down what may have occurred whether it was missed on our end or if perhaps a follow up was lost to you – in either case it is clearly our mistake for this not elevating to our development team with urgency. I would also like to confirm that we have the screenshot you supplied at this time and that is of great assistance in the matter.

    As to the issue reported, be assured, no credit card information or even the ability to order would have been available with the profile mismatch that is described. We use ASP.net profile management web services from Microsoft that are in widespread secure use, but security of actual transaction information is protected by other features designed at woot. However, the population on your order form of a users name and address is an unacceptable fault to have occurred and we will take steps to ensure it doesn’t occur again.

    As privacy geeks ourselves, we are obsessive about these matters and value the trust that others place with us. If anyone has a privacy related concern, I would like to make sure future communication issues do not occur. My email at woot is mrutledge@woot.com – if you or anyone else has a security issue that needs my awareness, please cc me on any correspondence. (also, side topic but if you have a service issue that’s not taken care of to your satisfaction, I would enjoy a direct report on that as well – while we set expectations low on service levels, we pride ourselves on responsiveness and take quick corrective action when necessary)

    Thanks to the Consumerist and readers for being there as a resource to bring this to our attention, and thank you again Robear for your time involved. Once this matter is comfortably resolved, I hope we can share a chuckle on the irony of the shirt that it occurred on.

    Matt Rutledge
    Founder & CEO
    Woot Inc.

  20. AnthonyC says:

    If he does try to contact the stranger, I’m wondering how he could word his e-mail to make it not look like spam.

  21. lehrdude says:

    I guess that’s why I keep getting all that bacon salt and those flying-screaming monkeys sent to my house…

  22. chocobo says:

    This happened to me during a Woot-Off last year. I clicked “I want one!” and someone else’s info was right there in the forms.

    I tried to replicate it but could not do it, so that much was good news at least.

  23. Dont lump me into your 99%! says:

    What could have happened is, whoever created the db schema did not count on so many people signing up for the site, and they used only a small int for the id. That id is linked to other tables (well maybe depending on db schema). As some point the user may have been deleted, and when the small int’s used for ids where taken up, they started back at the next smallest number. Now if for whatever reason the old users info was not completely deleted, then it automatically was linked back up after the new user was created.

    Now this scenario is reliant on a few things that I had assumed, but cannot know without seeing the database, but if it is the case, it means anybody who had a account and the account was deleted would be prone to having their information displayed to however was the lucky user.

    I doubt its a session high-jacking issue, but its possible, but again several things would have to take place, and the code would also have to be insecure.

    Either way, Woot should have answered this in a timely manner, and whatever the problem, it should have been fixed right away.

  24. celeb8 says:

    @snapster:

    Hate to sound like a fanboy but that is about the most satisfying response I’ve ever heard on this site from a CEO in a call-out thread.

    Granted no free shit was sent, but not only individually addressing all concerns but also taking responsibility despite not knowing what happened or any serious pressure applied? I like you.

    • brodie7838 says:

      Agreed, this is a fantastic response.

      @celeb8: Do monetary items need to be provided for every little problem in life these days, really? Nothing befouled him, and the problem is now being addressed, I would be more than satisfied to having been contacted by the CEO of a company for a resolution over an issue as trivial as this.

  25. yospiff says:

    Very much and out of the ordinary experience, IMO. I’ve been shopping on Woot for years now and never had an issue with them. I have had a rare faulty product and was once shipped the wrong item. They have always been responsive and done me right.

  26. calchip says:

    Kudos to snapster for proactively posting on Consumerist, directly addressing the issues, and also addressing the followups.

    Isn’t it a sad commentary that the companies like Woot that intentionally set customer service expectations pretty low as part of their value-based business model actually end up being among the most responsive and helpful when there’s a real problem that warrants it?

    I’ve only purchased from Woot a few times but have been very happy with the service and my purchases each time.

  27. MumblesFumbles says:

    I call BS on that response from Woot.

    Report this to Visa/MC/Amex as this is likely a violation of PCI rules. I’m sure if they had their ability to process credit cards revoked they will start to “take this seriously”.

  28. feckingmorons says:

    Woot is always responsive in my experience. It seems that the user may have more problems with his computer than he imagines. He says other user’s information is populated into form fields, and he says he is not getting email from woot.

    I would suspect something local rather than a problem with woot. They do have a telephone, give them a call if you are that concerned.

  29. sea0tter12 says:

    I’ve actually had this problem, too, although I assumed my account had been hacked and someone had changed the info to their name and address and left my credit card intact. That still may be what happened, but now that I hear this, I wonder if there is some database screwiness.

    To get a response fairly quickly, I would use Twitter. I got a response within hours after messaging @woot from an employee on Twitter after hours during a Woot-off, who then e-mailed me the next day from a business address. Try @woot and @agingdragqueen. Hope that helps!

  30. OmicroN says:

    If it were my information that were showing up there, I’d want you to let me know. Communication is key, however, because sometimes I’m a dumbass and don’t realize that it’s not your fault and you weren’t intentionally hacking Woot’s site to gain access to my information. Make sure you articulate, clearly, about what exactly happened when you tell me.

    Of course, I’m not a dumbass–but when this exact situation happened to me, and I alerted the person whose information was given to me, I was blamed for hacking the site! It took involving their local police department to explain to them that I was not a hacker, and I came across their info inadvertently.

  31. MrMan09 says:

    @MumblesFumbles – and which of the several responses did not meet with your personal high standards of judging a companies response to an issue?

    The full CC# was not exposed and still required the CV code to be used to complete the order. Like Amazon, NewEgg, and hundreds of other ecommerce sites.

    The only fail here was the amount of time and a consumerist post it took to get Woot to go oh “bag of crap” we’ve got a problem.

    Guess what, rather than “we’re taking it seriously” canned response something is actually being done. They are following up on the issue and being proactive in responses here. They admitted it took longer than it should have and are looking into why there was a problem on both fronts.

    When is the last time Chase or BOA’s CEO posted on here?
    Oh thats right they are to busy riding around on their solid gold segways to bother admitting to a problem on some silly website on that there intertubes… its just a fad they’ll go away…

    snapster is here taking his lumps, that is much more than many other companies do. Not just passing the buck and blaming some outside force out of his control. Are we sure he’s really a CEO?

    (hehe now maybe next time I’ll be able to get a good BOC)

  32. rekoil says:

    @MostlyHarmless: Or it could have been a hash collision – it’s rare but does happen occasionally.

  33. WiglyWorm must cease and decist says:

    @rekoil: Yeah, MostlyHarmless and Rekoil seem to have it right. (or swedub below, though I hope their coders are smarter than to encode session info in the URL).

    Depending on how Woot generates their UIDs, they may not necessarily be unique at all. I always use a date/time stamp as a salt in order to help ensure uniqueness, however, when you’re hashing info, unique sets of data *can* have the same hash.

  34. Dont lump me into your 99%! says:

    @snapster: Thanks for the reply, I was interested in knowing how it would of happened.