Up to 60% Off Daily Deal Products. Palmetto State Armory
The Ultimate Gun Belt, US Made, Lifetime Warranty, Free Shipping. Shop Now.
Gorilla Ammo Free Shipping when you order 10 Boxes or more.
Shop all the current Lone Wolf closeouts here

Go Back   The AK Files Forums > General Forums > General Discussion

Notices

Reply
 
Thread Tools
Old 02-21-2018, 02:03 AM   #1
Spook76
Moderator
 
Spook76's Avatar
 
AKaholic #: 161291
Join Date: Jan 2012
Location: Texas
Posts: 2,690
Default A security warning regarding Brownells--this just happened to me

Just a caution:

Short version...If you are currently logged into the Brownells website, I strongly urge you to 1. immediately log out --and-- 2. watch your credit card/bank accounts closely the next wee bit. Contacting Brownells as early as tomorrow may give additional info on when they've unfucked their *currently happening* (for past solid 20+ min) glaring security issue...Once that's considered okay, again, and you next log in there, I further urge you to double check your email/credit/etc. type info listed on your account there.

ETA: Update in post #13...

Somewhat longer version...
I was logged in and shopping their website tonight, all going normal, when I noted a pop up error message telling me their system had some issue loading my cart, and that I should reload the page. Upon reloading the page, as instructed, I was loaded into SOMEBODY ELSE'S cart (noted different name at top and different contents). Confused, I refreshed, again...

On next page refresh, I was loaded into the account page of *yet another* person. On that page, I could see the personal billing and shipping address/etc. account type info for that person. I, immediately, logged out.

After killing that browser window, I logged back in, to see if it happened, again. All looked fine, at first, and I clicked to enter their Web chat to report what had just happened. Their web CS guy offered nothing beyond "yikes", and telling me he needed my email or phone number to pass to IT, so they'd know "all the people this had happened to" (i.e. seemingly, lots of accounts tonight). He offered no ideas, no resolution, no suggestion to log out, didn't ask whether I had other questions/concerns, and not even a "bye", before immediately pasting their end chat type blurb with a survey link.

When I closed that chat window and reloaded the page, I was loaded into *yet another* stranger's personal account info, past orders, etc. I logged out, again, hoping that whatever's up might only be affecting people currently logged in. I have no way of knowing whether this will help prevent some stranger from ordering stuff via my account, but it's the best I could think of, thus far.

I'll be calling their HQ tomorrow, as much to ensure they know it happened as to let somebody higher up the food chain know how concerning I feel this is. I know every website can have issues, but full account access to strangers like this shouldn't happen, ever, and is more than just an inconvenience, IMO. Frankly, I'm pretty pissed, even though I know it's easily enough addressed should any strange charges show up on our statement.

Anyway, just passing it along, hoping it might help avoid a headache for some of Y'all. I'll update this thread as I get anything from them.
__________________
"Violence, naked force, has settled more issues in history than has any other factor, and the contrary opinion is wishful thinking at its worst. Nations and peoples who forget this basic truth have always paid for it with their lives and freedoms."--Robert Heinlein

"Never ask someone if they're from Texas. If they are, they'll tell you; if they aren't, there's no need to embarrass them.--Unknown wise observer

Last edited by Spook76; 02-21-2018 at 03:08 PM.
Spook76 is online now   Reply With Quote
Old 02-21-2018, 02:11 AM   #2
swolff
Veteran Member
 
AKaholic #: 180730
Join Date: May 2015
Location: SE PA
Posts: 1,355
Default

Just tried it on my end using Firefox. No issues at all. I had to reset my account name as it was a name I normally don't use. But it was all my information
__________________
Looking for Romanian recoil rod #4119 or #119
swolff is online now   Reply With Quote
Old 02-21-2018, 02:24 AM   #3
Spook76
Moderator
 
Spook76's Avatar
 
AKaholic #: 161291
Join Date: Jan 2012
Location: Texas
Posts: 2,690
Default

Quote:
Originally Posted by swolff View Post
Just tried it on my end using Firefox. No issues at all. I had to reset my account name as it was a name I normally don't use. But it was all my information
So was mine, until it happened. Hopefully, for most people, it's just some freak error that's getting quickly sorted and not affecting everybody everywhere. I'm not sure why it'd make a difference to their site, but I did note all three other people's accounts it happily sent me into all live in various parts of TX (from deep, small town east TX, to San Antonio, to Austin). No chance of same ISP, given the spread, but something's up.

Localized--for whatever weird reason--or not, what's more concerning than possibly having to do a charge back for a wrong order is other people within driving range being able to see what you've ordered/mags and parts for what guns (and that they might think about breaking in your house to get), and being handed both your billing and shipping address. It's a minor stretch, but a valid concern, all things considered these days.

"Yikes," indeed.

ETA:
Hoping it was fixed, based on time and your mention of having no issue, I just went back to their website...Without typing anything--simply clicking the "login" link--I was loaded into yet another (now, the fourth) person's account page. Argh...
__________________
"Violence, naked force, has settled more issues in history than has any other factor, and the contrary opinion is wishful thinking at its worst. Nations and peoples who forget this basic truth have always paid for it with their lives and freedoms."--Robert Heinlein

"Never ask someone if they're from Texas. If they are, they'll tell you; if they aren't, there's no need to embarrass them.--Unknown wise observer
Spook76 is online now   Reply With Quote
Old 02-21-2018, 02:33 AM   #4
nalioth
Devil's Advocate & Moderator
 
nalioth's Avatar
 
AKaholic #: 5678
Join Date: Apr 2006
Location: Houston, Texas
Posts: 43,183
Default

Have you tried using another browser, Spook76?


Just for giggles, of course . . .
nalioth is online now   Reply With Quote
Old 02-21-2018, 02:52 AM   #5
Spook76
Moderator
 
Spook76's Avatar
 
AKaholic #: 161291
Join Date: Jan 2012
Location: Texas
Posts: 2,690
Default

Quote:
Originally Posted by nalioth View Post
Have you tried using another browser, Spook76?


Just for giggles, of course . . .
Yes, I have, Nalioth. Perhaps, though, you can explain how my choice of browser should somehow affect whether the Brownells server is inappropriately sending me into multiple strangers' accounts...? My concern isn't the inconvenience of my fucking browser doing something; it's several customers' personal info being readily available to who knows how many other customers (regardless of their browser).

For reference, in any case:
This happened in Chrome. I logged out of my AND all other people's account(s) (as they happen), have completely closed Chrome, re-opened it, more than once, and it's still happening, as of my last ETA reference, above.

I, also, tried in I.E. Upon logging into my account there via I.E., all looked fine. Logging out there, then another try back in fresh Chrome got me the yet another/most recent other person's account mentioned, above.

I *suspect* when that initial cart error happened, it loaded a cookie for Chrome. That'd make sense, except that long after that error and two shut downs of Chrome, relaunch in I.E., and logging out of every account it's thus far sent me into, that'd be a lot of post-error "oops" login cookies. In other words, the cookie thing might explain one extra account login/it putting me back into that ONE acct. during an error SNAFU/afterward, but not multiple others long after that one cart error. Something is up with their system.

If you read the OP, you'd have seen the reference to the chat CS guy suggesting this had happened to other people tonight. So, not just some browser thing.
__________________
"Violence, naked force, has settled more issues in history than has any other factor, and the contrary opinion is wishful thinking at its worst. Nations and peoples who forget this basic truth have always paid for it with their lives and freedoms."--Robert Heinlein

"Never ask someone if they're from Texas. If they are, they'll tell you; if they aren't, there's no need to embarrass them.--Unknown wise observer
Spook76 is online now   Reply With Quote
Old 02-21-2018, 03:04 AM   #6
nalioth
Devil's Advocate & Moderator
 
nalioth's Avatar
 
AKaholic #: 5678
Join Date: Apr 2006
Location: Houston, Texas
Posts: 43,183
Default

Quote:
Originally Posted by Spook76 View Post
Yes, I have, Nalioth. Perhaps, though, you can explain how my choice of browser should somehow affect whether the Brownells server is inappropriately sending me into multiple strangers' accounts...?

-- SNIP --

If you read the OP, you'd have seen the reference to the chat CS guy suggesting this had happened to other people tonight. So, not just some browser thing.
Yes, it's called a "user agent" ( the name of the browser sent to the webserver when page requests are made ).

Webservers can be configured ( or misconfigured ) to respond differently to different user agents.

Most notoriously, Microsoft used to provide "concierge service" to connecting Microsoft browsers from its own IIS servers ( although a multi-million-dollar wrist-slapping got them to stop that ). Bluntly, when a Microsoft browser would connect to an IIS server, it would be given precedence over non-Microsoft browsers.

If the "other people" were all using the same browser as you . . .


Just pie-in-the-skying here . . .
nalioth is online now   Reply With Quote
Old 02-21-2018, 03:24 AM   #7
Spook76
Moderator
 
Spook76's Avatar
 
AKaholic #: 161291
Join Date: Jan 2012
Location: Texas
Posts: 2,690
Default

Quote:
Originally Posted by nalioth View Post
Yes, it's called a "user agent" ( the name of the browser sent to the webserver when page requests are made ).

Webservers can be configured ( or misconfigured ) to respond differently to different user agents.

Most notoriously, Microsoft used to provide "concierge service" to connecting Microsoft browsers from its own IIS servers ( although a multi-million-dollar wrist-slapping got them to stop that ). Bluntly, when a Microsoft browser would connect to an IIS server, it would be given precedence over non-Microsoft browsers.

If the "other people" were all using the same browser as you . . .


Just pie-in-the-skying here . . .
Brownells is not Microsoft, and the chances they'd ever see a reason to randomly/late at night reconfigure their server (it's been fine, in the past) to give access to multiple personal accounts to everybody using a Chrome browser (even just in Texas) is absurd. Crazy things happen, but it'd be just that...crazy.

Whatever it is, they'll likely have to be creative in either telling me the truth or make up a good lie. There are enough privacy/account security concerns these days, as it is; this crap is over the top.

ETA: What just occurred to me is that some hacker might very well have reconfigured their server in this way tonight, to give himself such wide account access (vs trying to hack lots of individual accounts), without caring that other people might stumble into the situation. Really, that'd make more sense than some possibilities.
__________________
"Violence, naked force, has settled more issues in history than has any other factor, and the contrary opinion is wishful thinking at its worst. Nations and peoples who forget this basic truth have always paid for it with their lives and freedoms."--Robert Heinlein

"Never ask someone if they're from Texas. If they are, they'll tell you; if they aren't, there's no need to embarrass them.--Unknown wise observer

Last edited by Spook76; 02-21-2018 at 03:32 AM.
Spook76 is online now   Reply With Quote
Old 02-21-2018, 03:29 AM   #8
Maadi
Senior Member
 
AKaholic #: 193622
Join Date: Aug 2017
Location: Indiana
Posts: 676
Default

This is probably a simple programming glitch with the user session state. What happens is large companies use clustered web servers. So that each user maintains proper session state no matter which web server they hit, the session states are stored in a database. I’ve seen accidental changes to some code cause the session state to get corrupt and produce these symptoms, which are basically you getting the wrong logged on user session.

TLDR - They May have just been doing an upgrade and flubbed a bit of code.

You should contact them to let them know it happened so they can fix it if they weren’t aware. Also, it may look fine to everyone, except for the people hitting one bad cluster server, so even if it looks fixed, it may still be broken.
Maadi is offline   Reply With Quote
Old 02-21-2018, 03:37 AM   #9
Spook76
Moderator
 
Spook76's Avatar
 
AKaholic #: 161291
Join Date: Jan 2012
Location: Texas
Posts: 2,690
Default

Quote:
Originally Posted by Maadi View Post
This is probably a simple programming glitch with the user session state. What happens is large companies use clustered web servers. So that each user maintains proper session state no matter which web server they hit, the session states are stored in a database. I’ve seen accidental changes to some code cause the session state to get corrupt and produce these symptoms, which are basically you getting the wrong logged on user session.

TLDR - They May have just been doing an upgrade and flubbed a bit of code.

You should contact them to let them know it happened so they can fix it if they weren’t aware. Also, it may look fine to everyone, except for the people hitting one bad cluster server, so even if it looks fixed, it may still be broken.
Rgr, that makes sense as a good possibility, too. I'd already planned to call their HQ tomorrow. Given the response (or, lack of proper one) by their site chat guy tonight--it was right before he'd have closed it down for the night--I have little faith he'll correctly pass it up the food chain, so want to be sure they know about it.
__________________
"Violence, naked force, has settled more issues in history than has any other factor, and the contrary opinion is wishful thinking at its worst. Nations and peoples who forget this basic truth have always paid for it with their lives and freedoms."--Robert Heinlein

"Never ask someone if they're from Texas. If they are, they'll tell you; if they aren't, there's no need to embarrass them.--Unknown wise observer
Spook76 is online now   Reply With Quote
Old 02-21-2018, 06:20 AM   #10
nalioth
Devil's Advocate & Moderator
 
nalioth's Avatar
 
AKaholic #: 5678
Join Date: Apr 2006
Location: Houston, Texas
Posts: 43,183
Default

Quote:
Originally Posted by Spook76 View Post
Brownells is not Microsoft, and the chances they'd ever see a reason to randomly/late at night reconfigure their server (it's been fine, in the past) to give access to multiple personal accounts to everybody using a Chrome browser (even just in Texas) is absurd. Crazy things happen, but it'd be just that...crazy.

Whatever it is, they'll likely have to be creative in either telling me the truth or make up a good lie. There are enough privacy/account security concerns these days, as it is; this crap is over the top.
Why do I need to "be creative" when it's computer code . .

Microsoft has been the most notorious abuser of "user agent", but they are not the only ones that have leveraged the user agent, or been affected by it.

Any webmaster can configure their website to treat each user agent ( browser ) differently.

For instance, a webmaster could code their site to show all Internet Explorer users a more basic version of their content, or one with a "microsofty" theme.

If someone in Brownell's IT department didn't dot their "i"s or cross the "t"s properly in the back end, what you're describing might be possible.


P.S. I've not been "telling" you anything about this - I've just been tossing out theories, 'cuz until Brownell's fesses up, nobody's ever gonna know what actually occurred.


P.P.S.

Websites can also be coded to perform differently based on visitor:

• location

• ISP

• display settings

and many other data points that browsers send to web servers with each request


Lots of "I"s and "T"s to watch . . .
nalioth is online now   Reply With Quote
Old 02-21-2018, 02:09 PM   #11
Spook76
Moderator
 
Spook76's Avatar
 
AKaholic #: 161291
Join Date: Jan 2012
Location: Texas
Posts: 2,690
Default

Quote:
Originally Posted by nalioth View Post
(snips...)

Why do I need to "be creative" when it's computer code . .


P.S. I've not been "telling" you anything about this - I've just been tossing out theories, 'cuz until Brownell's fesses up, nobody's ever gonna know what actually occurred.
I wasn't talking about you being creative/telling, blah, blah...Are you Brownells? No...Then, I guess you're not "they'll", eh?
__________________
"Violence, naked force, has settled more issues in history than has any other factor, and the contrary opinion is wishful thinking at its worst. Nations and peoples who forget this basic truth have always paid for it with their lives and freedoms."--Robert Heinlein

"Never ask someone if they're from Texas. If they are, they'll tell you; if they aren't, there's no need to embarrass them.--Unknown wise observer
Spook76 is online now   Reply With Quote
Old 02-21-2018, 02:57 PM   #12
Fortis
Curio & Relic
 
AKaholic #: 16269
Join Date: Oct 2008
Location: Wash. state
Posts: 5,166
Default

Only ordered once from Brownell's, or at least tried to. Tried to purchase a Walther PPSM2 during the rebate last year, using one of THEIR approved FFL's in my area. Placed the order, waited several days & got no confirmation. Checked my account to find 'order on hold'. WTF? Called to inquire & was told they have to wait to verify the FFL. It was chosen from THEIR list!! Cancelled order, won't be going back. Idiots.
__________________
“The Constitution is not an instrument for the government to restrain the people, it is an instrument for the people to restrain the government - lest it come to dominate our lives and interests” - Patrick Henry
WTB-`82 Delorean & Flux Capacitor.
It's MY Island! Mine!
Fortis is online now   Reply With Quote
Old 02-21-2018, 03:07 PM   #13
Spook76
Moderator
 
Spook76's Avatar
 
AKaholic #: 161291
Join Date: Jan 2012
Location: Texas
Posts: 2,690
Default

Update, such as it is:

Just got off the phone with Brownells...I'd asked for a supervisor right out of the gate. Without me even having to explain more than a sentence, she already knew about the issue. They were already aware of it, but didn't know just how bad it is (according to this person) until I gave her the details on what all I'd experienced/how many peoples' personal info their system was showing me. As of this morning, I'm now up to 7 peoples' accounts/info, two while the site showed me as "logged out". :-/

No fix, yet, and assurances she'd email me once they address it. Once I hear anything more, I'll update this thread.
__________________
"Violence, naked force, has settled more issues in history than has any other factor, and the contrary opinion is wishful thinking at its worst. Nations and peoples who forget this basic truth have always paid for it with their lives and freedoms."--Robert Heinlein

"Never ask someone if they're from Texas. If they are, they'll tell you; if they aren't, there's no need to embarrass them.--Unknown wise observer

Last edited by Spook76; 02-21-2018 at 03:14 PM.
Spook76 is online now   Reply With Quote
Old 02-21-2018, 06:26 PM   #14
Rev06
Titanium Member
Bronze Contributor
 
AKaholic #: 185972
Join Date: Apr 2016
Location: The Outer Limits
Posts: 5,802
Default

What a nightmare as well as plain dam annoying. I'm getting to the point where I am going to "try" and begun shifting to greater use of cash and trades. It's bad enough that our account info is out there in the vendors in the first place
__________________
Rev
Rev06 is online now   Reply With Quote
Old 02-21-2018, 06:37 PM   #15
nalioth
Devil's Advocate & Moderator
 
nalioth's Avatar
 
AKaholic #: 5678
Join Date: Apr 2006
Location: Houston, Texas
Posts: 43,183
Default

Quote:
Originally Posted by Rev06 View Post
It's bad enough that our account info is out there in the vendors in the first place
Most vendors don't keep any credit/debit card information.

They're set up with a third party payment system which is set up so that you interact with it directly.


The vast majority of "credit card breaches" have been with these third party payment systems - not actual vendors.
nalioth is online now   Reply With Quote
Old 02-21-2018, 06:41 PM   #16
fgw_in_fla
Well hung and unforgiving
Bronze Contributor
 
AKaholic #: 165386
Join Date: Nov 2012
Location: 3.27 Parsecs From Antares
Posts: 2,599
Default

Mr. Spook,
Thanks for the heads up on this. I ordered 10 magazines from there on Sunday eve. Although I did not experience anything you mentioned, my account has been hacked too many times to count over the past 5 years. It's a pain in the ass because I'm the asshole that has to drive 45 minutes to get a new card, make a charge dispute and worry if some scumbag will empty my account.

The last email I got from Brownell's says my order is being processed but still no shipment. Seems to be taking unusually long compare to other orders.

I'll be sure to keep my good eye on my bank info.
__________________
'Scuse me while I whip this out...
fgw_in_fla is online now   Reply With Quote
Reply


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is On

Forum Jump


All times are GMT -4. The time now is 08:03 PM.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2018, vBulletin Solutions, Inc.
©1998-2018 The AK FIles