My wife went to check on a ticket order she placed for a concert. She went to her browser history to get the site. She clicks on the line that was "confirm your order" and she gets someone else's order - in progress. Yup, credit card number partially showing. She squawked and had me come look.

The link she hit had the session id in the URL. She joined another session with the same ID. Could see and change the shopping cart, the ship-to address..... It was briefly hers to do with as she pleased - until the session expired.

It was lasso. Their session IDs seem to not have so many digits, therefore increased risk of re-use.

________________________________________________________________________
TO UNSUBSCRIBE: Go to http://www.witango.com/maillist.taf

Reply via email to