Tower Records Order Surfing

For some reason, you can look at any of the orders made through the Tower Records website just by changing the number at the end of their order status webpage.

See if you can find one better than this one before they find out and fix it this embarassing security leak:

http://www.towerrecords.com/orderStatus.aspx?orderno=2349039

I can’t believe someone ordered Turner and Hooch!! BTW, how did you figure this out, you l337 haXor.

Oh my, can I get in trouble for this? :lol:

Nevermind, spying at people is fun.

That’s a nice privacy policy they have up next to the orders we’re seeing.

lol…

this is fun

:D

This one dude ordered Nelly!

I should email him and rag him about it!

:D

I guess they don’t consider their shoppers’ names, addresses, phone numbers, and email addresses to be confidential information…

This is a similar bug that Victoria’s Secret had. You could type in any number and see what underwear a woman (or man!) had ordered. VS didn’t show names and addresses, though.

http://www.towerrecords.com/orderStatus.aspx?orderno=2349125

…and now they’ve fixed the security hole. It’s inevitable, unless people spread the word no one will hear about fun security breaches like this, but eventually word gets around to the techies in charge of the site.