Hey, we helped get an Ameriprise customer banned from the financial company’s consumer advisory panel! Sorry about that, Brendan.
That Sears website exploit we posted about a couple of weeks ago was funny, mainly because it seemed more embarrassing for Sears than a true security risk. However, an independent security researcher had also discovered a more significant issue with the site—it allowed for an unlimited number of gift card verification attempts via an external script, so a criminal could use the site as a brute force method to identify valid gift cards for Sears and Kmart.
Yesterday a reader sent us a pretty funny screen capture of a Sears product page with a suspicious category description (see above). By the time we got around to checking it out, Sears had corrected the error. It turns out, however, that the real problem was the Sears website was built in a way that lets anyone mess with the category descriptions.