Tweet
We recently ran into a "bug" which allows Customer A to have access to customer B's account.
The Situation...
-Customer A adds items to their cart but can't checkout for some reason. Customer A calls the store to finish the order over the phone.
-Sales Associate goes to order in "Not Completed" orders and intends to to complete the order as a "phone order".
-After clicking on the order, and then clicking on "complete" the phone order dialog is up.
-Phone call gets disconnected before payment info can be made. And sales associate goes back to work on other orders.
-Sales Associate needs to login to Customer B's account for some reason.
THIS HAS JUST GIVEN CUSTOMER A ACCESS TO CUSTOMER B's ACCOUNT.
-If Customer A goes back online to try and complete the order, they are now given customer B's account. They can see address, saved cards (not full numbers thankfully) and complete order history.
The Problem...
-"Completing" an order turns it into a phone order, which sets a cookie as soon as that button is pressed. Even though you never interact with the front end, 3dcart treats you like the person who is placing that not completed order.
-If at any point from there on you login to the front end, it treats you like someone who was not logged in, but then who logged in, so it moves that not completed order to that account.
-The issue is that Customer A still has their cookie assigning them to that not complete order. So now the system thinks they are Customer B.
The Solution...
The only solution now is to log completely out of the admin area if you start to complete a not completed order, but dont finish. This probably also means you have to clear your cookies, which is a hassle.
I have brought this to 3dcarts attention. Their stance as usual with these things is that it's a "feature" not a "bug". However I feel that because the way the system works is not logical, it should be brought to people's attention so that you can avoid giving unintended access to customers.
The Situation...
-Customer A adds items to their cart but can't checkout for some reason. Customer A calls the store to finish the order over the phone.
-Sales Associate goes to order in "Not Completed" orders and intends to to complete the order as a "phone order".
-After clicking on the order, and then clicking on "complete" the phone order dialog is up.
-Phone call gets disconnected before payment info can be made. And sales associate goes back to work on other orders.
-Sales Associate needs to login to Customer B's account for some reason.
THIS HAS JUST GIVEN CUSTOMER A ACCESS TO CUSTOMER B's ACCOUNT.
-If Customer A goes back online to try and complete the order, they are now given customer B's account. They can see address, saved cards (not full numbers thankfully) and complete order history.
The Problem...
-"Completing" an order turns it into a phone order, which sets a cookie as soon as that button is pressed. Even though you never interact with the front end, 3dcart treats you like the person who is placing that not completed order.
-If at any point from there on you login to the front end, it treats you like someone who was not logged in, but then who logged in, so it moves that not completed order to that account.
-The issue is that Customer A still has their cookie assigning them to that not complete order. So now the system thinks they are Customer B.
The Solution...
The only solution now is to log completely out of the admin area if you start to complete a not completed order, but dont finish. This probably also means you have to clear your cookies, which is a hassle.
I have brought this to 3dcarts attention. Their stance as usual with these things is that it's a "feature" not a "bug". However I feel that because the way the system works is not logical, it should be brought to people's attention so that you can avoid giving unintended access to customers.
Comment