Maybe someone can confirm what I'm seeing on this end. I logged into my smugmug and ordered some photos on a computer that was not mine. When I was done I clicked "Logout" and I was returned to my normal smugmug screen and not logged in.

Then another person on that computer clicked on one of my albums to order some photos of their own from my albums. Since I'm now logged out it shouldn't know who I am any longer. They put photos in their cart, clicked to checkout and the next screen showed all of my information and also had all my credit card info. They were able to order photos and use my information. We duplicated the same problem even after we closed and re-started our browser.

This scares the hell out of me. Will someone please look into this?

kc7dji

You will mostly get help based on your post, but I want to point out the sticky thread at the top of this forum, that this is not the official support page for smugmug, and that if you want help, it is best to go here (http://www.smugmug.com/help/emailreal) or help@smugmug.com

Maybe someone can confirm what I'm seeing on this end. I logged into my smugmug and ordered some photos on a computer that was not mine. When I was done I clicked "Logout" and I was returned to my normal smugmug screen and not logged in.

Then another person on that computer clicked on one of my albums to order some photos of their own from my albums. Since I'm now logged out it shouldn't know who I am any longer. They put photos in their cart, clicked to checkout and the next screen showed all of my information and also had all my credit card info. They were able to order photos and use my information. We duplicated the same problem even after we closed and re-started our browser.

This scares the hell out of me. Will someone please look into this?

kc7dji

You need to clear the browser cache. Its not a Smugmug issue.

You need to clear the browser cache. Its not a Smugmug issue.
Then it comes to a design issue. I'm a developer myself and never should I have to clear the cache everytime I place an order. In some cases like in a public library or any public machine you you may not have proper permissions to clear the cache or change any settings.

kc7dji

kc, i tried to recreate your problem and couldn't get the same result.

sorry :dunno

Whenever you use a computer other than your own, and think you have "logged out" of a site, you should also close the browser.

Nope, you should not have to clear your cache. Not sure what is going on here - but when you logout, we destroy your session and all the information related to it. So when you hit any form page you should not see anything filled in. I tried to recreate this as well and can not. Can you provide more info: browser, os, version, plugins (google toolbar for instance remembers form values for you and fills them in, even AFTER you have logged out, look for yellow form fields).

Then it comes to a design issue. I'm a developer myself and never should I have to clear the cache everytime I place an order. In some cases like in a public library or any public machine you you may not have proper permissions to clear the cache or change any settings.

kc7dji

Nope, you should not have to clear your cache. Not sure what is going on here - but when you logout, we destroy your session and all the information related to it.

Did the guy, by any chance, tell his browser to remember data values filled in on a form?

Did the guy, by any chance, tell his browser to remember data values filled in on a form?

That is what we are waiting to hear on. I mentioned third party plugins like google toolbar and their ability to do this, but I think that IE only has auto complete and will not fill things in automatically on it's own.

Maybe someone can confirm what I'm seeing on this end. I logged into my smugmug and ordered some photos on a computer that was not mine. When I was done I clicked "Logout" and I was returned to my normal smugmug screen and not logged in.

Then another person on that computer clicked on one of my albums to order some photos of their own from my albums. Since I'm now logged out it shouldn't know who I am any longer. They put photos in their cart, clicked to checkout and the next screen showed all of my information and also had all my credit card info. They were able to order photos and use my information. We duplicated the same problem even after we closed and re-started our browser.

This scares the hell out of me. Will someone please look into this?

kc7dji


This is a bug. Sorry! We'll have a fix out "soon".

I should note, though, that no credit card information is stored on your browser where anyone else can get to it. Additionally, they can't get it from any of the pages in the cart. So they can't take your card and use it elsewhere.

We still take this seriously, and already have a fix ready to test. Our carts used to self-destruct as soon as you closed your browser, but now they persist for a month, and we overlooked this issue.

Thanks for letting us know!

Don

This is a bug. Sorry! We'll have a fix out "soon".

Our carts used to self-destruct as soon as you closed your browser, but now they persist for a month, and we overlooked this issue.

Thanks for letting us know!

DonWill the shipping and card info still be filled in automatically if you are logged in? I really like not having to input this data.

Greg

Will the shipping and card info still be filled in automatically if you are logged in? I really like not having to input this data.

Greg

If you're logged in, yes, we pre-fill the data we can. (using the buttons on the shipping & billing pages).

Don

If you're logged in, yes, we pre-fill the data we can. (using the buttons on the shipping & billing pages).

Don
Great! Thank you guys so much for looking into this. I really didn't mean to sound like I was b*tching but I too think it's a serious issue.

Awesome work and fast response!!!!

kc7dji