KSP Website Security Habit - Consumer - HWzone Forums
adplus-dvertising
Skip to content
  • Create an account
  • About Us

    Hello Guest!

     
    Please note - in order to participate in our community, comment and open new discussions, you must join as a registered member.

    Our members enjoy many advantages, including the ability to participate in discussions, enjoy raffles and promotions for members of the site, and receive our weekly content directly by email.

    Do not like being harassed by email? You can register for the site but do not submit your registration to the weekly email updates.

KSP site security habit


blatman23
 Share

Recommended Posts

I wanted to make the public aware Small of KSP site.

After ordering, you get a page where you can see the phone number, order, payments and means of garlic, ordered items and dates of everything, including ability Edit and change the order including adding and canceling items

Edit: Changing order details and adding items doesn't seem to be an option, But only its cancellation. Although I can swear that shortly after ordering, I could use this form to add items.

 

Boll:

The link contains the phone number within the address - and the shipping details include the email and the exact address of the buyer.

(See "Edit" 2 lines up) - It is possible to operate the order in the form of cancellation, without permission using only the link.

 

 

I probably won't put the link on my order because you can all see it in one click for a simple and short link, but you can check it yourself. Go to Order Status, copy the link and send to each member .... 

 

As to how serious the problem is, everyone will judge by their own safety standard. These are not credit leaks or all kinds of serious stuff, but it is the nineties of these public links.

 

Senior KSP reading this: There is You have good prices and an excellent warranty, It's also time to wrap up the package on a secure site and the habits are up to 2020.

 

Edited By blatman23
Link to content
Share on other sites

I happened to make an order from them this week and checked and what he says is true and that is just completely delusional.
Attached photo is slightly edited (without the full phone number and order number or order content) (hope I made enough, if any personal information remains, I'd be happy if you told me I missed).
The address of the page consists of my phone number and then the order number with a hyphen, a pretty serious disgrace.

Edit: Just for clarification I made a copy paste to a straight to incognito address and of course I didn't log in as usual.
Edit 2: I see no way to change the content of the order or extract useful information from it other than the content of the order or the name of the customer (the phone must know to get there anyway) so I do not know how critical or serious it is, but I'm pretty sure In any form or will do so you must be logged in to the ordering user to access the information.

1.png

Edited By Moon-Mage
Link to content
Share on other sites

Indeed this is exactly the page, MOON ....

KSP does not answer the phone so there is no point in trying to call. They also say there is no telephone answering site.

 

Multicore - There is no connection between Incognito and the case described .. because there is no connection to local cookies or other local fingerprints. For that matter you can send the link on WhatsApp to anyone in the US and he will be able to make changes and charges on your visa from any Without any technical capabilities ... this is simply a lack of attention / cheap checkout system that is suitable for the 90s of the Internet and can, with desire, be arranged quickly.

Edited By blatman23
Link to content
Share on other sites

MOON, 

When you contact the sales team, you will meet on this page where you can make real, economic changes to an order without a telephone confirmation. 

Even if that was not possible, It's very severe For any site that manages your credit information. No information should be disclosed on the link, and no personal information should be detached from the permissions. 

 

As someone with a background in digital assault, I can tell you it is severe .. very severe. 

 

Edit: The name status has changed to "No details can be changed" - I can swear there was "For any change please specify here" 

This can be proved by the fact that the name of the form is the creation of a new application.

 

 

 

Edited By blatman23
Link to content
Share on other sites

You can make changes MOON, I can cancel your order. And like I said, some time after the order can be changed. Do a test on a new order next time and see that "Changes can be made here" will be registered there.

 

I won't give anyone any ideas here, but all I need is a list of phone numbers and a randomizer on the KSP order numbers template, and it could be a nice computer trend weekend project for PROOF OF CONCEPT ...

 

In any case, like I said, everyone will judge it by what they consider severe or not. 

The post is presented as a service to KSP and the public, with love and pleasure.

 

 

a quote

<H4 class="modal-title">Create a new request for Order # XXXX

a quote

<Span class="input-group addon">The phone number to which the link will be sent

a quote

id="cadd-order-request-order-modal-trigger" class="btn btn-primary" data toggle="modal" data target="# add-order-request-order-modal">Contact the sales team

a quote

 

a quote

<Input type="emails" value="XXXXXXX@ Gmail.com" style=" width: 100%; direction: ltr;">

 

Edited By blatman23
Link to content
Share on other sites

TL; DR

Bottom line: There is, in my humble opinion, no problem In this post, there is no room to worry or worry about booking from the site.

 

Hello everyone,

As a regular customer of KSP I was a little stressed by this post, and wanted to verify it, so I went to the site and placed an order for a small thing (30 shekels, which I needed anyway), went through all the order steps and at the end, copied the link they gave me and opened it on another computer and private mode (incognito ), The page I came to did show the order details But no change could be made In quantities or whatever, it was a "read-only" page. I also checked the link address and it actually consists of my phone number and the order number and another nine digit number, for example:

https://ksp.co.il/cart/order-tracking/0521234567-4123456-123456789

 

I don't see a situation where anyone can very accurately guess both the phone number and the order number as well as the nine-digit number that is currently unknown, which means that to see the details of my order (No credit information can be seen) Need only guess 16 digits and this is when the phone number is known. In my humble opinion, it is Perfectly reasonable. 

 

Bottom line: There is, in my humble opinion, no problem In this post, there is no room to worry or worry about booking from the site.

 

Comments:

1. For those who think I was wrong about something, I have my screen recorded throughout the order steps from the first page to the link open on another computer. And welcome to contact me with details that I will prove to him.

2. When ordering, I filled out my credit card information (as opposed to a recurring phone request for credit information)

 

@blatman23 - There is no truth in your post, with all due respect and no desire to hurt you.

A nice day for everyone.

Edited By kobiben
Link to content
Share on other sites

Kobi, in the world of rhetoric and common sense, it is impossible to write either "The page I went to did show the order details "and" there is no truth in your post "in that post. Suppose you have an interest in KSP so I will talk to you as well.

 

Upload your really video so we can see your address, phone, how many payments you made and what you ordered. But do not erase and make blurs ... if you do not care then you should not be ashamed of what is written there and where you live. Make a real video, because if you do not mind then it is no problem to share a public link. But I doubt you will answer my request ... or you will refuse and say "why should I share a link with my address, I keep it with me and that's the end of the story" and for that I will say that you have no background in systems security if that's what you think, that's fine too, You are a total customer.

 

 

Rise to the first post, where you can find the sentence "As to how serious the problem is, everyone will judge by their own safety standard "

 

That is, when I shop in Amazon, New Ag, or other stores, There are no public links to my order, my physical address, my phone number and how many payments I used for the order. This is personal information, and certainly more so that the link itself is already providing personal information in an irresponsible manner.

 

I didn't tell you not to order at KSP and turn it in - I won't stop buying them because I've never had a professional problem in over a decade with them, I just gave you an international standard of how an updated Checkout system should work

I will rephrase your last sentence, "Blatman23 - there is truth in your post, indeed the public link is also on another computer, but you can not make changes other than canceling the order and query on behalf of the buyer so I think it does not matter because what else should I hide that I bought And my phone number, it doesn't hurt anyone " 

I believe this is what you mean, and it's okay and legitimate.

 

There is no negative evidence here about KSP prices or service, on the contrary, I was twice burned And I did not encounter any checkpoint at KSP Tel Aviv regarding repair and replacement.

The first post Edited properly, To reflect the ability to do cancel reservation Only without permission and no details about the visa account, so the whole thing remains true.

As mentioned, the main problem is Providing personal details including address, credit card payment phone number, courier arrival time, etc. on a completely public page. Acceptable to you, unacceptable to me .... It's all about perspective and relationship .. 

 

The post is aimed at advanced users who care about their personal information. Thanks for your review.

 

Edited By blatman23
Link to content
Share on other sites

Kobe, where are you? We said you will put your order link here, so we can see your address, real name, package number, payment number and order details. 

After all, there is nothing private about it, And we're also in the mood to check that there is no truth in my post to you.

 

And if privacy starts and ends with a link that can be copied to the address bar, which happens to be made by semi-public identifiers themselves to add sin to crime, will you still keep the truth in my post?

 

I'm here, waiting for the discussion to continue ...  

 

 

 

 

Edited By blatman23
Link to content
Share on other sites

Blatman, 

I think your first sentence in the discussion sums it all up. Problem Small. And in my opinion very small. 

You create a public link even when you share a file from your drive (one of the options) and this is not a problem In no way.

 

However, ksp should not use such a link, but believe it or not there is a reason. Whatever it is, you can definitely "link" to a longer, random set of characters.

Link to content
Share on other sites

Join the discussion

You can then join the discussion and then join our community. If you already have an account with us, please Log in now To comment under your username.
Note that: The comment will appear to the surfers after approval by the board management team.

guest
Add a comment

×   The content pasted is with formatting.   Remove formatting

  Only 75 emoji are allowed.

×   Your link has been automatically assimilated.   Show as regular link

×   Your previous content has been automatically restored.   Clear all

×   You can not paste images directly. Upload or insert images from URL.

 Share

  • Latest news

  • Buzz-Zone: Everything hot on the net

×
  • Create new ...

At the top of the news:

new on the site

Amazon's parade continues

Amazon's parade continues

Come and be impressed by another list of great prices for quality hardware products and gadgets that can make your credit cards work overtime