Evan Schuman's StorefrontBacktalk

In an attempt to accelerate Web response, the Sears E-Commerce site used an aggressive strategy of placing pages into cache as consumers looked. But that security shortcut enabled some site visitors this week—through a simple URL text tweak—to turn a page for a gas grill into something that dubbed itself a “human cooking” device, one of a group of “grills to cook babies” and a “body parts roaster.”

At its simplest, the technique is quite easy to do, which is why it’s best to be avoided. The site visitor simply modifies the URL of the page he’s visiting. If the stars align, the retailer’s server will cache that page, grabbing the rewritten page heading with it. The next consumer that comes along and seeks that page will likely be shown the modified page.

One senior Web programmer, technology consultant Marvyn Tinitigan, explained the tactic: “Say, for example, the breadcrumb path is: home > electronics > televisions > Samsung 52″ LCD. Then the URL for that page would be something like http://www.sears.com/electronics/televisions/Samsung-52-LCD. I’m simplifying the URL to make the explanation easier. You can easily see that the structure of the breadcrumbs reflects the URL, but here is where Sears made their mistake. It relied on the URL being honest and using that to build its breadcrumbs. So it could easily be spoofed so that the breadcrumbs would read something else by editing the URL to something like http://www.sears.com/gizmos/boobtubes/Samsung-52-LCD and the breadcrumb path would be home > gizmos > boobtubes > Samsung 52″ LCD. The correct way to do this would be by taking the product ID, in this case ‘Samsung-52-LCD’ and referring to the database as to what categories it belongs to and building the breadcrumb path from there.”

Sears itself issued a statement confirming the unauthorized cannibalistic cache copy calamity, but declined to address how the pages were programmed and why the changes had been permitted. “Someone visiting our site defaced a couple of product pages on last Thursday,” Sears spokesman Tom Aiello said on Monday (Aug. 24). “At no time was any of our data compromised. We’ve already taken steps to prevent this from happening again. We sincerely apologize to any customers who may have seen this on our site.”

Shortly after the pages were amended—and after a large number of screen captures of the pages started circulating on the Web—someone took credit for starting the mess in a discussion on Reddit.com. Just like the anonymous claims on terrorist sites taking credit for attacks, there’s no way to know if the poster taking credit actually did anything.

With that grain of HTML salt taken, the person who claimed credit called himself gfixler and he said that he noticed that the text displayed on Sears’ site was taken from the URL and that made it pretty simple to change category names by altering the URL and hitting “send.” The site responded with a page that displayed the altered labels.

Another poster claiming knowledge of the attack—calling himself Immerc—said that Sears.com not only “trusted data directly from the user and displayed it on the page” but “extended the level of trust further and cached popular pages, so that other users didn’t even need to have the ‘bad’ data in a URL” to see the altered text.

“The mistake Sears made,” said Immerc, was that instead of having Sears.com look “at a local database to determine the category and subcategory of an item, they put the category string and subcategory string into the URL” and assumed or trusted the strings would not be tampered with by users before the URL is loaded. “A more severe form of ‘trusting data from the user’ makes Cross-site scripting or XSS attacks possible. In an XSS attack, not only is data from the user trusted enough to display, it isn’t sanitized before it’s used, allowing someone to execute arbitrary code or arbitrary database modifications simply by sending data the programmer didn’t anticipate.”

It also appears that Sears, in an attempt to quiet down the controversy, might have caused it to flare up further. A Reddit site administrator posted an acknowledgment that he or she had been directed to erase the story about the Sears.com vulnerability, leading to strong suspicions that Sears had done some arm-twisting. That led somebody to write about the fiasco on Wikipedia under the listing for “The Streisand Effect,” described as “an Internet phenomenon where an attempt to censor or remove a piece of information backfires, causing the information to be widely publicized.”

Sears responded quickly to remove the bogus pages and to seemingly tighten up security to prevent more people from trying variations of the same tactic. Pages may now be loading a little more slowly at Sears, but at least there’s a better chance they are the pages that Sears intended to show.