Would You Consider This A Design Flaw?

I was on the Wish List page on tenderfilet.com and noticed a search box.  Being a curious monkey I entered ‘h’:

tenderfilet.com wish list search
tenderfilet.com wish list search

I was surprised to see this list pop up.  The screenshot below is a partial screenshot of the results page:

tenderfilet.com search results
tenderfilet.com search results

It has the customers full name and address.  Would you consider this a design flaw?

If you want to check this out on the live site click here.

7 thoughts on “Would You Consider This A Design Flaw?

  1. Yikes, I would say so.

    I’m not a SQL or database whiz, but I’m guessing the lookup query is written in such a way that takes what you enter (h) and attaches wildcards before or after it, resulting in every email with an H in in. Their development team should take a serious look at this.

  2. You are right, that’s exactly what’s happening at the code execution level. Here is the clincher, I bet the marketing team at tenderfilet.com is not even aware of this design flaw. Luckily they don’t list email addresses or their competitors could have done some serious damage.

  3. Here’s the problem though. If they are showing contact information, someone can call the customer, claiming to be from Tender Filet, and try to solicit credit card information. This happened to one of my clients before, and it was an absolute disaster.

    I’m all for usability, but Contact information should never be that available on a public site.

  4. Its an interesting issue. As you guys discussed, they are taking the letter and if any name has that letter it is showing the results. However if you type something like “hh” or “aa” nothing shows up. I don’t consider this as a design flaw, because what is the real flaw? User is supposed to enter a name to search, however they accidentally typed just a letter such as “h”–whats the bid deal showing what they are showing? As they are not revealing any sensitive date, I don’t find it to be problematic.

  5. You have a valid point. But if someone is looking to buy a gift item I suspect they would know a few letters beyond the recipient’s initials. This is certainly not a security breach, just poor programming standards in my opinion.

    • with plans to implement public wish lists on my own store, this is interesting.

      As long as no contact details are being share or explicitly with the user’s consent, this should not be an issue. But on the other hand, having a minimum of say 3 letters before executing a search and input of location might also be good.

      or should the urls be based on some alias and let the user have the responsibility of sharing it with the people.

      The two approaches totally differ based on what consumers would ideally want.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s