Sears: Life. Well Cooked.

TMZ reported yesterday about a grill featured on Sears’ website under “Human Cooking  > Grills to Cook Babies and More > Body Part Roaster”, and they produced the following image as proof:

According to reddit user gfixler, who claims responsibility for the prank, he’s been able to make these sorts of modifications to the breadcrumb trail on sears.com “all year.”

Here’s another example:

sears

As explained by reddit user immerc, this was done by simply changing the parameters in the URL of the page being viewed and then resubmitting it.  Sears was extracting the breadcrumb text directly from the URL without any validation.  Furthermore, the site cached the page associated with the item, so the user-generated breadcrumb remained visible to other users for some nontrivial period of time.

Sears has since fixed the flaw, and hopefully learned its lesson about sanitizing anything that might come from a user.

Thanks to Alex B. for the tip.

Advertisements
Advertisement




8 Responses to Sears: Life. Well Cooked.

    • I don't know. Sears has published assurances that no customer data was compromised, but if they were clueless enough to incorporate unfiltered URL components in a web page, how much can they be believed?

    • I don’t know. Sears has published assurances that no customer data was compromised, but if they were clueless enough to incorporate unfiltered URL components in a web page, how much can they be believed?

  1. This has brought on rumors of impending resignation of Reddits current head administrator spez. When Sears got hold of this flaw they contacted their legal departments who in turn contacted Reddits parent company and forced spez to remove the original post. The Reddit community, spez included are extremely unhappy about being censored in this manner, and even worse over something that wasn't illegal or hurtful. They're also a little angry at how neither TMZ nor Fox News gave gfixler or Reddit any credit for this find.

  2. This has brought on rumors of impending resignation of Reddits current head administrator spez. When Sears got hold of this flaw they contacted their legal departments who in turn contacted Reddits parent company and forced spez to remove the original post. The Reddit community, spez included are extremely unhappy about being censored in this manner, and even worse over something that wasn’t illegal or hurtful. They’re also a little angry at how neither TMZ nor Fox News gave gfixler or Reddit any credit for this find.

    • Yeah, why should they censor true reports about a company’s web stupidity? Especially since it was basically harmless (as far as we know).

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.