Mobile app version of vmapp.org
Login or Join
Miguel251

: Is it sufficient to secure a order status page just by a random URL? After a (corporate) customer bought some items in our online shop, we send an email with an overview what he has bought

@Miguel251

Posted in: #Privacy #Security

After a (corporate) customer bought some items in our online shop, we send an email with an overview what he has bought to him.

We'd like to inform our customer about received payments, packet tracking, etc.
I would solve this by assigning each order a random ID and add a link to each mail.
The link may be like this: shop.foo.bar/order/rwklvc46g9wt7kvy09f1
Would you take additional measures to protect the data? Or choose a completely different solution?

Advantages:


no annyoing status updates per mail (especially if frequent updates occurs)
single information source (never outdated)
shareable (e.g. to his boss or colleagues)


Disadvantages:


private data exposed on publicly accessible website (e.g. phone numbers, payment details)

10.03% popularity Vote Up Vote Down


Login to follow query

More posts by @Miguel251

3 Comments

Sorted by latest first Latest Oldest Best

 

@Deb1703797

Yes it does suffice as long as:


you just send the link via email, and do not submit it to Google. But according to your question this is what you do, so there is no way for Google to get to know the link therefor it will never be indexed/crawled.
you make the ID used in link random and sufficently long.
If it's not random, but you use a simple incremental integer as ID one of your customer could easy spot out that by entering incrementally simple numbers in link he could read all the other orders.
If it's random, but not long enough (let's say it's made of only 4 digits/letters) it would be easy even with an home PC to brute force attack your orders, I would just need to try (26+10)^4 = 1,679,616 possible combinations. Let's say i run a script that trys one link per second, it would take to the script less than 20 days to brute force all the possible links and read all your orders.
IMPORTANT: for increased security you should delete the link after a certain number of days (i.e. after 1 month). This is the trick to make it secure.
In this way even if someone trys to brute force your links he would need huge calc power otherwise his attack will never be fast enough to try all possible combinations before they get deleted. And even if he has got a huge calc power he would hardly be able to test more than one link per second because the server that handles your orders might start to refuse his connection if he trys to connect repeatedly once a second.
FYI: deleting the link, does not mean you have to delete the all order in DB. You could use another primary key for orders table (a simple autoincrement int) and you could use a UNIQUE field (that allows NULL) called link_id that is the one you enter in link.
After a month you simply need to delete the value of link_id and set it NULL. In this way the order will be still in table and viewable from your admin panel, but the direct link won't be valid anymore to directly view the order page.

10% popularity Vote Up Vote Down


 

@Deb1703797

I think you should protect that data more. As for the simplicity of the system, I highly agree that public URLs with a random and unique string is enough and handy.

However, if methods of payment (including credit card information), emails or phones are going to be displayed, right there you have the need to protect that data. It also depends on what part of the world you are, but in most of them this need extends to legal matters and user's data protection.

What most of the shopping websites do for this type of situations is either ask for credentials (login/password) or a tracking number with a tracking code, or something that only the user or user's trusted parties may have.

10% popularity Vote Up Vote Down


 

@Shelley277

Without additional safety, no. Random URLs are crawled all the time. However, this is good when done with a sign-on page to authenticate the user.

An intermediate solution is to make sure the status page contains no personal data, only general info. For example, 'PAID BY CC' rather than 'PAID by VISA 1234567891' and 'Shipped' instead of 'Shipped to John Doe, 123 Blue Street', etc.

10% popularity Vote Up Vote Down


Back to top | Use Dark Theme