
Clickbank order details in plain view - Auserget
https://www.google.com/search?q=site%3Aclkbank.com%2ForderDetail.htm
======
flashinfremont
Hi, this is Matt Hulett the CEO of ClickBank.

ClickBank was recently made aware of a situation in which customers were
posting their information using social bookmarking sites, which are indexed by
Google. As a result, ClickBank is taking steps to limit the information that a
consumer can inadvertently share through such services. We take customer
privacy very seriously and believe that all individuals share responsibility
for maintaining the security of personal information that is posted online. At
no time is customer payment information disclosed.

~~~
jevinskie
How was customer payment information NOT disclosed?! It is on Google!! The
URLs should be protected by authentication! It should be _impossible_ for
Google or anyone else to access it without a login. It does not matter that
some customers shared it on social sites. Saying there is no problem if the
social sharing doesn't occur is security through obscurity.

~~~
kalleboo
I've been through this before. Online receipts identified with long, random
URLs. Users posting them online with no regard for security. Requiring a login
for purchase was deemed infeasible since it adds friction to the checkout
process. The only thing keeping the online receipt from google was robots.txt.

~~~
aroch
Except there are neither long URLs nor unindexed (no meta tags, no nothing!)

------
aroch
Direct search link:
[https://www.google.com/search?q=site%3Aclkbank.com%2ForderDe...](https://www.google.com/search?q=site%3Aclkbank.com%2ForderDetail.htm)

Well, this is pretty egregious and makes me rather happy I don't use them.
From the looks of things you can also change the email associated with an
order and send yourself the info all over again. This means for some things,
like online services or say application licenses, you can resend the info to
yourself and probably steal the actual customers product.

Additionally, I'm willing to bet quite a few of these people have used the
listed email and last 4 for other things online and/or for verification of
identify places.

Also, how is this PCI compliant?

~~~
freehunter
There's no payment card information besides what's acceptable to show (last
four and card type). Full name and email address is PII, but not necessarily
in breech of PCI. I don't believe SOX has anything specifically mentioning
full name and email PII either. If that's the case, the only thing that would
make it a PCI or SOX violation is if the company says in their data privacy
policy that they will protect this PII. I work information security but I am
not on my company's compliance team, so I'm familiar with PCI/SOX but not
steeped in it. I believe the above is true, but I'm not an auditor.

As far as trying to gain a copy of the information in the email, it might be
possible if you were willing to put your own email on record as being part of
this data breech. It's also possible that the only thing contained in the
email is purchase confirmation (aka, what is shown in the printable invoice).

~~~
nexfina
Looks like some of these are showing a customer's physical address too. I sure
hope that wouldn't be PCI compliant.

[https://www.clkbank.com/orderDetail.htm?rcpt=504d78866YCRFEF...](https://www.clkbank.com/orderDetail.htm?rcpt=504d78866YCRFEF7)
(Click on View Details under Tracking Number)

~~~
wmboy
PCI is designed to protect credit card fraud, not customer's address
information. Banks don't care about the risk of identify theft, but rather
credit card fraud.

------
rdouble
I interviewed for a hedge fund once where my job interview was to write a
program that exploited a security flaw like this to make a real time model of
what people were paying for diamonds.

~~~
meowface
Did you get the job?

~~~
rdouble
No. It was a week long, paid interview. After a couple of days I decided not
to come back. Mainly because the main project seemed illegal (which I'll admit
held some criminal mastermind allure) and I had another job lined up in Japan.
In retrospect, I wish I would have done it as the job in Japan was terrible
and I've not come across a similar opportunity since.

~~~
genwin
The NSA has a contractor position open in Honolulu.

~~~
rdouble
I graduated from high school and am pretty good at powerpoint, so I am
assuming I am overqualified.

------
hughw
No worries, it's certified by TRUSTe
[http://clicktoverify.truste.com/pvr.php?page=validate&url=ww...](http://clicktoverify.truste.com/pvr.php?page=validate&url=www.clickbank.com&sealid=101)

edit: not that TRUSTe claims to test this sort of exposure, to my knowledge.
But simply to contrast the feeling of trust a label like that gives you,
against the reality.

------
Esifer
Clickbank is a joke! I remember year ago you could put in Google product name
and "thank you" and you would find thank you page with direct download link.

EDIT: Someone even made CB product to protect thank you page: Fix My Thank You
Page [http://fixmythankyoupage.com/](http://fixmythankyoupage.com/) only $97
LOL!

~~~
Sheepshow
I guess Google really started taking advantage of "today's digital internet"

> Adding "no follow" tags to your Robots.txt file is a smart step but it's
> simply not enough on today's digital internet.

~~~
hughw
On the old analog internet it worked great.

------
freehunter
I hate LMGTFY. It's slow and condescending, especially for something like this
where slow and condescending don't add anything. Is it not possible to just
submit a Google search link? Or use a text-only post?

~~~
swang
Looks like a mod has changed it.

------
codegeek
Hope no one is clicking on the "Resend Receipt Email" button. Imagine a
customer receiving the receipt email for something they bought 3 years ago..

------
hbbio
The founder sure knows about technology:

"As a research scientist for the NSA, Dr. Tim Barber was..."

~~~
Percein
I wonder if their new CFO that started today wants to take back what he said
about ClickBank's "strong digital platform."

[http://www.prweb.com/releases/2013/6/prweb10846812.htm](http://www.prweb.com/releases/2013/6/prweb10846812.htm)

------
swang
What exactly is Clickbank? It looks like a platform to help people resell
their knowledge?

~~~
dotmanish
Apart from various ebooks and what not, it seems they also help people sell:

Backup software subscription:
[https://www.clkbank.com/orderDetail.htm?rcpt=4fb75aa1LPBHFEH...](https://www.clkbank.com/orderDetail.htm?rcpt=4fb75aa1LPBHFEHN)

and ...

Phone lookups (they work?):
[https://www.clkbank.com/orderDetail.htm?rcpt=514323c6WDJ2F3C...](https://www.clkbank.com/orderDetail.htm?rcpt=514323c6WDJ2F3CE)

~~~
DanBC
> Phone lookups (they work?)

Perhaps not?

([https://www.clkbank.com/viewTicket.htm?key=01.BF205EF24EE6D9...](https://www.clkbank.com/viewTicket.htm?key=01.BF205EF24EE6D985E55A33C61841AD9A00DC42E0FF61DF073E5EBD9EC8EC6B194B1F628D))

> _Reason: I never received my product._

------
pdog
Wow. People pay a lot of money for snake oil.

~~~
Domenic_S
_I smell a startup!!_ Quick, to Sand Hill road!

------
joshstrange
And you can edit the email address without being logged in

~~~
ambiate
That was the first thing I tried too. I expected the window to popup and say
something along the lines of "You need to be logged in...". Nope. Insta-
update.

------
hughw
Are we all violating the Computer Fraud and Abuse Act of 1986 by exploiting
this weakness? By following a link?

------
psutor
Does Google pull links from Gmail and attempt to index them? I am wondering
how they knew to index these pages with random URLs (the "security through
obscurity" employed by ClickBank and defended in the support ticket referenced
in the comments here).

~~~
ShaunK
I'm fairly certain they do, from experiences in the past where otherwise
completely private (but unprotected) URLs have ended up indexed.

~~~
jontro
If you're browsing with chrome or a browser with the google toolbar urls will
be submitted to google automatically.

------
keltex
At least they could have added a meta robots noindex to the page. That would
have kept it out of search although not eliminated the security hole.

------
NKCSS
They took this part of the site down, but you can just open the google cache
and all details are there...

------
bobfunk
Heh, Power4Home System ordered by "I.hate.niggers@microsoft.com" ...

[https://www.clkbank.com/orderDetail.htm?rcpt=504d78866YCRFEF...](https://www.clkbank.com/orderDetail.htm?rcpt=504d78866YCRFEF7)

~~~
mmanfrin
Why is this racist juvenility the top rated comment in this thread?

~~~
bobfunk
I don't think it's funny because it's racist, I think it's funny because it
reveals what kind of embarrassing data a security hole like this brings out.

~~~
DanBC
Except anyone can edit the emails, even now.

------
diroussel
I had a look at a few of them, and they are mostly scam payments. Like $30
membership for a website where you "get paid to answer surveys".

------
lominming
The problem was that some average developer was lazy and do whatever that
worked, with no concern about potential security implications.

~~~
systematical
No, not lazy. Being lazy would have been doing a simple session check and then
redirecting to a login page if the session user id did not match the user id
in the order. The developer had no idea what he/she was doing. Brutal.

~~~
karolist
You have me listening. What would be the correct course of action while not
lazy and knowing what you're doing? I know that "knowing what you're doing"
and this question doesn't go together, but still anything better than a
check/redirect?

------
rtrocc
Has anyone realized all of this has to do with clkbank.com NOT ClickBank.com

Looks like a fake site all together...

~~~
encoderer
It's pretty common to have multiple domains, especially affiliate marketing
websites. ClickBooth has clickboothlnk.com, NeverBlue has many random
alphanumeric domains.

This certainly is Clickbank.com

------
JeremyMorgan
We're all going to get rich!

------
rk0567
this is horrible! I can even download ebooks (probably there is "Download Now"
button for digital products) from certain orders :(

------
pomber
But it has a TRUSTe online privacy certification...

------
moneyrich2
WTF is a .htm file, I'm feeling all nostalgic, I haven't seen one of those in
a decade. I wonder what version of CGI those developers are using.

Seriously though, wow! that's really awful.

