Sears: Life. Well Cooked.

August 21, 2009 by Chip | 4 comments

TMZ reported yesterday about a grill featured on Sears’ website under “Human Cooking  > Grills to Cook Babies and More > Body Part Roaster”, and they produced the following image as proof:

According to reddit user gfixler, who claims responsibility for the prank, he’s been able to make these sorts of modifications to the breadcrumb trail on sears.com “all year.”

Here’s another example:

sears

As explained by reddit user immerc, this was done by simply changing the parameters in the URL of the page being viewed and then resubmitting it.  Sears was extracting the breadcrumb text directly from the URL without any validation.  Furthermore, the site cached the page associated with the item, so the user-generated breadcrumb remained visible to other users for some nontrivial period of time.

Sears has since fixed the flaw, and hopefully learned its lesson about sanitizing anything that might come from a user.

Thanks to Alex B. for the tip.

Sharing is Sexy!
  • Digg
  • StumbleUpon
  • Reddit
  • Facebook
  • MySpace
  • FriendFeed
  • del.icio.us
  • Google Bookmarks
  • email
Related Posts:
  1. Reddit River – a mobile river of stories for Reddit fans
  2. Social Networking for Gadget Lovers
  3. Life-Sized Terminator Endoskeleton
  4. Turn webpages into iPod-friendly reading files
Cool posts on other blogs:

Posted in Security, Web | 4 Comments »

Did you enjoy this post? If so, subscribe to the geeksaresexy RSS feed.

4 Responses to “Sears: Life. Well Cooked.”

  1. Nicolas says:
    August 22, 2009 at 10:54 am

    Was XSS possible? They have an online shopping cart on their web site…

    Reply
    • Chip says:
      August 22, 2009 at 11:37 am

      I don’t know. Sears has published assurances that no customer data was compromised, but if they were clueless enough to incorporate unfiltered URL components in a web page, how much can they be believed?

      Reply
  2. Juggernath says:
    August 22, 2009 at 6:20 pm

    This has brought on rumors of impending resignation of Reddits current head administrator spez. When Sears got hold of this flaw they contacted their legal departments who in turn contacted Reddits parent company and forced spez to remove the original post. The Reddit community, spez included are extremely unhappy about being censored in this manner, and even worse over something that wasn’t illegal or hurtful. They’re also a little angry at how neither TMZ nor Fox News gave gfixler or Reddit any credit for this find.

    Reply
    • Chip says:
      August 23, 2009 at 8:53 am

      Yeah, why should they censor true reports about a company’s web stupidity? Especially since it was basically harmless (as far as we know).

      Reply

Leave a Reply


| [Geeks are Sexy] Privacy Policy | Legal Disclaimer |