Sears’ Cached Pages Fueled Faster Pages, Even Faster Disaster

Written by Fred J. Aun
August 27th, 2009

In an attempt to accelerate Web response, the Sears E-Commerce site used an aggressive strategy of placing pages into cache as consumers looked. But that security shortcut enabled some site visitors this week—through a simple URL text tweak—to turn a page for a gas grill into something that dubbed itself a “human cooking” device, one of a group of “grills to cook babies” and a “body parts roaster.”

At its simplest, the technique is quite easy to do, which is why it’s best to be avoided. The site visitor simply modifies the URL of the page he’s visiting. If the stars align, the retailer’s server will cache that page, grabbing the rewritten page heading with it. The next consumer that comes along and seeks that page will likely be shown the modified page.

One senior Web programmer, technology consultant Marvyn Tinitigan, explained the tactic: “Say, for example, the breadcrumb path is: home > electronics > televisions > Samsung 52″ LCD. Then the URL for that page would be something like I’m simplifying the URL to make the explanation easier. You can easily see that the structure of the breadcrumbs reflects the URL, but here is where Sears made their mistake. It relied on the URL being honest and using that to build its breadcrumbs. So it could easily be spoofed so that the breadcrumbs would read something else by editing the URL to something like and the breadcrumb path would be home > gizmos > boobtubes > Samsung 52″ LCD. The correct way to do this would be by taking the product ID, in this case ‘Samsung-52-LCD’ and referring to the database as to what categories it belongs to and building the breadcrumb path from there.”

Sears itself issued a statement confirming the unauthorized cannibalistic cache copy calamity, but declined to address how the pages were programmed and why the changes had been permitted. “Someone visiting our site defaced a couple of product pages on last Thursday,” Sears spokesman Tom Aiello said on Monday (Aug. 24). “At no time was any of our data compromised. We’ve already taken steps to prevent this from happening again. We sincerely apologize to any customers who may have seen this on our site.”

Shortly after the pages were amended—and after a large number of screen captures of the pages started circulating on the Web—someone took credit for starting the mess in a discussion on Just like the anonymous claims on terrorist sites taking credit for attacks, there’s no way to know if the poster taking credit actually did anything.

With that grain of HTML salt taken, the person who claimed credit called himself gfixler and he said that he noticed that the text displayed on Sears’ site was taken from the URL and that made it pretty simple to change category names by altering the URL and hitting “send.” The site responded with a page that displayed the altered labels.

Another poster claiming knowledge of the attack—calling himself Immerc—said that not only “trusted data directly from the user and displayed it on the page” but “extended the level of trust further and cached popular pages, so that other users didn’t even need to have the ‘bad’ data in a URL” to see the altered text.

“The mistake Sears made,” said Immerc, was that instead of having look “at a local database to determine the category and subcategory of an item, they put the category string and subcategory string into the URL” and assumed or trusted the strings would not be tampered with by users before the URL is loaded. “A more severe form of ‘trusting data from the user’ makes Cross-site scripting or XSS attacks possible. In an XSS attack, not only is data from the user trusted enough to display, it isn’t sanitized before it’s used, allowing someone to execute arbitrary code or arbitrary database modifications simply by sending data the programmer didn’t anticipate.”

It also appears that Sears, in an attempt to quiet down the controversy, might have caused it to flare up further. A Reddit site administrator posted an acknowledgment that he or she had been directed to erase the story about the vulnerability, leading to strong suspicions that Sears had done some arm-twisting. That led somebody to write about the fiasco on Wikipedia under the listing for “The Streisand Effect,” described as “an Internet phenomenon where an attempt to censor or remove a piece of information backfires, causing the information to be widely publicized.”

Sears responded quickly to remove the bogus pages and to seemingly tighten up security to prevent more people from trying variations of the same tactic. Pages may now be loading a little more slowly at Sears, but at least there’s a better chance they are the pages that Sears intended to show.


Comments are closed.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.